Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Unreleased Resource: Android Media

Abstract
An Android activity fails to release the MediaRecorder, MediaPlayer, or AudioRecord object in its onPause(), onStop(), or onDestroy() event handlers.
Explanation
The Android activity allocates a media object that is not released in onPause(), onStop(), or onDestroy() callback. The Android OS invokes these callbacks whenever it needs to send the current activity to the background, or when it needs to temporarily destroy the activity when system resources are low. By failing to release the media object properly, the activity causes subsequent accesses to Android's media hardware (by other applications or even the same application) to fall back to the software implementations, or even fail altogether. Leaving too many unreleased media instances open can lead Android to throw exceptions, effectively causing a denial of service. Furthermore, maintaining possession of the media instance while the activity is paused can negatively impact the user's experience by unnecessarily draining the battery.

Example 1: The following code describes an Android activity that does not override the base onPause() method, which should be used to release the media object, nor does it properly release it during its shutdown sequence.


public class UnreleasedMediaActivity extends Activity {
  private MediaPlayer mp;

  @Override
  public void onCreate(Bundle state) {
      ...
  }

  @Override
  public void onRestart() {
      ...
  }

  @Override
  public void onStop() {
      mp.stop();
  }
}
References
[1] Media Player, Android Developers
[2] Audio Capture, Android Developers
[3] FIO04-J. Release resources when they are no longer needed CERT
[4] DOS-2: Release resources in all cases Oracle
[5] Standards Mapping - Common Weakness Enumeration CWE ID 772
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.java.unreleased_resource_android_media