계: Security Features
소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.
Android Bad Practices: Missing exported Flag or Component Permission
Abstract
이 프로그램은 구성 요소에 대한 액세스 권한을 명시적으로 할당하지 않습니다.
Explanation
모든 응용 프로그램은 매니페스트 정의에 액세스 권한이 명시적으로 할당되지 않은 공개 구성 요소에 액세스할 수 있습니다. Android 컨텐츠 공급자는 android:minSdkVersion 또는 android:targetSdkVersion을 "16" 이하로 설정하는 응용 프로그램에서 기본적으로 내보내집니다. 이러한 속성 중 하나를 "17" 이상으로 설정하는 응용 프로그램의 경우 기본값은 "false"입니다.
예제 1: 다음은 명시적 접근 권한 또는 내보내는 플래그 없이 선언된 Android 콘텐트 공급자의 예입니다.
예제 1: 다음은 명시적 접근 권한 또는 내보내는 플래그 없이 선언된 Android 콘텐트 공급자의 예입니다.
<provider android:name=".ContentProvider"/>
References
[1] Jesse Burns Developing Secure Mobile Applications for Android
[2] The AndroidManifest.xml File
[3] William Enck, Machigar Ongtang, and Patrick McDaniel Understanding Android Security
[4] Security guidelines - Permissions
[5] Standards Mapping - Common Weakness Enumeration CWE ID 265, CWE ID 285, CWE ID 925, CWE ID 926
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.android_bad_practices_missing_exported_flag_or_component_permission