Storage Permission Hardening
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android | MASVS-STORAGE-1 |
Overview
Storage Permission Hardening restricts Android app-private storage permissions so local files are not accidentally exposed through permissive file modes. It hardens the app's internal files directory and verifies SharedPreferences XML files are not world-readable or world-writable.
How It Works
When enabled, the Android runtime control performs two best-effort checks during initialization:
- Calls Android file permission APIs on the app's internal
files/directory to remove non-owner access and keep owner read/write/execute access. - Scans the app's
shared_prefs/directory and removes world read/write/execute bits from SharedPreferences XML files when found.
The control is idempotent and safe to call repeatedly. If a permission update is not accepted by the platform or filesystem, the control logs the condition and continues.
What Is Hardened
- Internal files directory returned by
Context.getFilesDir() - SharedPreferences XML files under the app's private
shared_prefs/directory
The control does not modify database contents, encrypt file contents, change cache behavior, or rewrite host app storage APIs.
Threats Mitigated
- Over-permissive file modes: Reduces exposure from files accidentally left world-readable or world-writable.
- Local app sandbox bypass attempts: Helps ensure private app files remain owner-only where the Android filesystem honors those permissions.
- SharedPreferences exposure: Repairs SharedPreferences XML files that have world access bits set.
Caveats
- This control does not provide app-level encryption. Existing file, SharedPreferences, and database contents remain in their original format.
- Android's app sandbox and platform file-based encryption remain responsible for the baseline storage isolation and at-rest protection.
- Permission hardening is best-effort. Some filesystems or device policies may ignore or limit permission changes.
- The control only checks the app's internal
files/directory and SharedPreferences XML files. It does not scan external storage, cache directories, SQLite databases, WebView storage, or third-party SDK-specific paths.
Support Matrix
| Platform | Minimum Version | Notes |
|---|---|---|
| Android | Android 8.0+ (API 26) | Matches the Android module minimum SDK |
How to Enable the Control
Navigate to Preventative Controls from the AppTego portal, and expand the Data at Rest Protection section. Under this section you will find the Storage Permission Hardening control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"StoragePermissionHardeningPrevention": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables Android storage permission hardening. |
SDK Usage
In Android library mode, enable the control after initializing MobileDefender:
MobileDefender.storagePermissionHardeningPrevention(true);