Reino: Code Quality

Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.

Unreleased Resource: Android Camera

Java/JSP

Abstract

Una actividad de Android no puede liberar la instancia de Camera en los controladores de eventos onPause(), onStop() o onDestroy().

Explanation

La actividad de Android asigna una instancia de Camera que no se ha liberado en las devoluciones de llamada onPause(), onStop() o onDestroy(). El SO Android invoca estas devoluciones de llamadas cada vez que necesita enviar la actividad actual al segundo plano o cuando necesita destruir temporalmente la actividad debido al bajo nivel de recursos del sistema. Al no liberar correctamente el objeto Camera, la actividad impide que otras aplicaciones (o incluso futuras instancias de la misma aplicación) accedan a la cámara. Además, la conservación de la posesión de la instancia Camera mientras la actividad se encuentra pausada puede afectar negativamente a la experiencia del usuario debido a un consumo innecesario de la energía de la batería.

Ejemplo 1: En el siguiente código se describe una actividad de Android que no reemplaza el método base onPause(), que debe utilizarse para liberar el objeto Camera, ni lo libera correctamente durante la secuencia de cierre.


public class UnreleasedCameraActivity extends Activity {
  private Camera cam;

  @Override
  public void onCreate(Bundle state) {
      ...
  }

  @Override
  public void onRestart() {
      ...
  }

  @Override
  public void onStop() {
      cam.stopPreview();
  }
}

References

[1] Camera, Android Developers

[2] FIO04-J. Release resources when they are no longer needed CERT

[3] DOS-2: Release resources in all cases Oracle

[4] Standards Mapping - Common Weakness Enumeration CWE ID 772

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[20] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.unreleased_resource_android_camera