Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Unreleased Resource: Android SQLite Database

Abstract
An Android activity fails to release the Android database handler in its onPause(), onStop(), or onDestroy() event handlers.
Explanation
The Android activity maintains an Android SQLite database handler that is not closed in onPause(), onStop(), or onDestroy() callback. The Android OS invokes these callbacks whenever it needs to send the current activity to the background, or when it needs to temporarily destroy the activity when system resources are low. By failing to close the database properly, the activity can potentially exhaust the device of available cursors if the activity is constantly restarted. In addition, depending on the implementation, the Android operating system can also throws DatabaseObjectNotClosedException, which crashes the application if the exception is not caught.

Example 1: The following code describes an Android activity that caches user data and writes the data to disk when the activity is stopped. Note that does not override the base onPause(), which should be used to release the database object, nor does it properly release it during its shutdown sequence.


public class MyDBHelper extends SQLiteOpenHelper {
  ...
}

public class UnreleasedDBActivity extends Activity {
  private myDBHelper dbHelper;
  private SQLiteDatabase db;

  @Override
  public void onCreate(Bundle state) {
      ...
      db = dbHelper.getWritableDatabase();
      ...
  }

  @Override
  public void onRestart() {
      ...
  }

  @Override
  public void onStop() {
      db.insert(cached_data);     // flush cached data
  }
}
References
[1] Data Storage, Android Developers
[2] FIO04-J. Release resources when they are no longer needed CERT
[3] DOS-2: Release resources in all cases Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 619, CWE ID 772
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.java.unreleased_resource_android_sqlite_database