在
保存到外部存儲上的文件可隨意讀取,并且能夠被啟用 USB 海量存儲來傳輸計算機上的文件的用戶修改。另外,即便卸載了將文件寫入外部存儲卡的應用程序,這些文件也不會被刪除。這些缺陷會危及寫入存儲的敏感信息,或者使攻擊者能夠通過修改程序所依賴的外部文件將惡意數據注入程序。
例 1:在以下代碼中,Environment.getExternalStorageDirectory() 返回對 Android 設備外部存儲的引用。
private void WriteToFile(String what_to_write) {
try {
File root = Environment.getExternalStorageDirectory();
if(root.canWrite()){
File dir = new File(root + "write_to_the_SDcard");
File datafile = new File(dir, number + ".extension");
FileWriter datawriter = new FileWriter(datafile);
BufferedWriter out = new BufferedWriter(datawriter);
out.write(what_to_write);
out.close();
}
}
[1] Data Storage
[2] Paul McNamara Latest 'lost' laptop holds treasure-trove of unencrypted ATT payroll data Network World
[3] Standards Mapping - FIPS200 - (FISMA) MP