계: Security Features

소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.

Android Bad Practices: normal Permission

Java/JSP

Abstract

이 프로그램은 normal 보호 수준으로 권한을 선언합니다.

Explanation

사용자 지정 권한을 선언할 때는 4가지 옵션을 사용하여 권한의 보호 수준을 지정할 수 있습니다. 즉, normal, dangerous, signature 및 signature or system입니다. Normal 권한은 권한을 요청하는 모든 응용 프로그램에 부여됩니다. Dangerous 권한은 사용자 확인 후에만 부여됩니다. Signature 권한은 권한을 정의하는 패키지와 동일한 개발자 키로 서명된 응용 프로그램에만 부여됩니다. Signature or system 권한은 signature 권한과 유사하지만 Android 시스템 이미지의 패키지에도 부여됩니다.

예제 1: 다음은 normal 보호 수준으로 선언된 사용자 지정 권한의 예입니다.

 <permission android:name="custom.PERMISSION"
                     android:label="@string/label_permission"
                     android:description="@string/desc_permission"
                     android:protectionLevel="normal">
      </permission>

References

[1] Permission Element

[2] Security tips - Use permissions

[3] Jesse Burns Developing Secure Mobile Applications for Android

[4] William Enck, Machigar Ongtang, and Patrick McDaniel Understanding Android Security

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[10] Standards Mapping - Common Weakness Enumeration CWE ID 265

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[12] Standards Mapping - FIPS200 AC

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.android_bad_practices_normal_permission