Java

JAVA.MISC.SD.FILE : Sensitive Data Written to Local File (Java)

Summary

Potentially sensitive data is stored in a file.

The following are considered sensitive system data.

Properties

Class Name Sensitive Data Written to Local File (Java)
Significance security
Mnemonic JAVA.MISC.SD.FILE
Categories
CWE CWE:538 Insertion of Sensitive Information into Externally-Accessible File or Directory
CERT-Java CERT-Java:DRD22 Do not cache sensitive information
OWASP-2017 OWASP-2017:A3 Sensitive data exposure
OWASP-2021 OWASP-2021:A2 Cryptographic failures
Availability Available for Java only.

Android Only. Warnings of this class will only be reported in Android code: that is, code that uses the Android API.
Enabling Checks for this warning class are disabled by default. To enable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += allow class="Sensitive Data Written to Local File (Java)"

Example 

package com.juliasoft.julia.tests.checks.sensitiveDataCaching;

import java.io.BufferedOutputStream;
import java.io.BufferedWriter;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.RandomAccessFile;
import java.nio.ByteBuffer;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;

import android.app.Activity;
import android.os.Environment;
import android.telephony.TelephonyManager;

public class ExternalStorageLeak extends Activity {

  public void MyMethod()
  {

    try {
      TelephonyManager telephonyManager = (TelephonyManager) getSystemService(this.TELEPHONY_SERVICE); 
      String imei=telephonyManager.getDeviceId();
    
      usingBufferedWritter1(imei);
      usingBufferedWritter2(imei);
      usingFileWriter(imei);
      usingPrintWriter(imei);
      usingFileOutputStream(imei);
      usingDataOutputStream(imei);
      usingFileChannel(imei);
      usingPath(imei);
    } catch (IOException e) {
      e.printStackTrace();
    }
  }

  public static void usingBufferedWritter1(String fileContent) throws IOException
  {
      BufferedWriter writer = new BufferedWriter(new FileWriter("myfile0.txt"));
      writer.write(fileContent);                 // Sensitive Data Written to Local File (Java) warning issued here
      writer.close();
  }
      
  public static void usingBufferedWritter2(String fileContent) throws IOException
  {
      BufferedWriter writer = new BufferedWriter(new FileWriter(Environment.getExternalStorageDirectory()+"myfile1.txt"));
      writer.write(fileContent);                 // "Sensitive Data Written to External Storage" warning issued here 
      writer.close();
  }

  public static void usingFileWriter(String fileContent) throws IOException
  {
      FileWriter fileWriter = new FileWriter("/sdcard/Android/data/myfile2.txt");
      fileWriter.write(fileContent);             // "Sensitive Data Written to External Storage" warning issued here 
      fileWriter.close();
  }
      
  public static void usingPrintWriter(String fileContent) throws IOException
  {
      FileWriter fileWriter = new FileWriter(Environment.getLegacyExternalStorageDirectory()+"myfile3.txt");
      PrintWriter printWriter = new PrintWriter(fileWriter);
      printWriter.print(fileContent);            // "Sensitive Data Written to External Storage" warning issued here 
      printWriter.close();
  }

  public static void usingFileOutputStream(String fileContent) throws IOException
  {
      FileOutputStream outputStream = new FileOutputStream(new File(Environment.getExternalStorageDirectory(),"myfile4.txt"));
      byte[] strToBytes = fileContent.getBytes();
      outputStream.write(strToBytes);            // "Sensitive Data Written to External Storage" warning issued here 
      outputStream.close();
  }

  public static void usingDataOutputStream(String fileContent) throws IOException
  {
      FileOutputStream outputStream = new FileOutputStream(Environment.getLegacyExternalStorageObbDirectory()+"myfile5.txt");
      DataOutputStream dataOutStream = new DataOutputStream(new BufferedOutputStream(outputStream));
      dataOutStream.writeUTF(fileContent);       // "Sensitive Data Written to External Storage" warning issued here 
      dataOutStream.close();
  }
      
  public static void usingFileChannel(String fileContent) throws IOException
  {
      RandomAccessFile stream = new RandomAccessFile(Environment.getExternalStorageDirectory()+"myfile6.txt", "rw");
      FileChannel channel = stream.getChannel();
      byte[] strBytes = fileContent.getBytes();
      ByteBuffer buffer = ByteBuffer.allocate(strBytes.length);
      buffer.put(strBytes);
      buffer.flip();
      channel.write(buffer);                     // "Sensitive Data Written to External Storage" warning issued here 
      stream.close();
      channel.close();
  }

  public static void usingPath(String fileContent) throws IOException
  {
      Path path = Paths.get(Environment.getExternalStorageDirectory()+"myfile7.txt");
      Files.write(path, fileContent.getBytes()); // "Sensitive Data Written to External Storage" warning issued here 
  }
}

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.