程序請求打電話與接電話的權限。
禁止在毫無理由的情況下請求打電話與接電話的權限,也不可在沒有考慮的情況下授予該權限。惡意軟件會盜取這些權限來撥打付費號碼,在用戶不知情的情況下竊取金錢。
例 1:AndroidManifest.xml 的以下 <uses-permission .../> 元素包含了電話權限屬性。
<uses-permission android:name="android.permission.CALL_PHONE"/>
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] Standards Mapping - FIPS200 - (FISMA) AC
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3500 CAT II
[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3500 CAT II
[6] Mark L. Murphy Beginning Android 2 Apress
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265
[8] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285
[9] Using Permissions
[10] Who creates malware and why?