Android JAVA pdf

 ᾓ"OESPJE+"7"Ⳳ၊צྖᓢᴶ◖ᵫ῾ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

 ῶέဓ୞ὢ⤞Ѯ↋ᏽⱊⷲ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

᢯૮ം࿷⤞ᆚҫ၊⁞὿ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ ῶ૮ം࿷⤞ᆚҫ၊⁞὿ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ῶ"1*ᴳẗ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

OVMMᇒЊᒮᨆᏦѮᢚ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ FRVBMT ḮIBTI$PEF ⵆࢆᆺ ὆ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ῶᓢᴶ⪧᤟ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

؞Ꮾ ᓢ὆૖ᨊⵊ⤻᪒⪦ῲᦏ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ ◖ᵫⵊᵂ⸦⹂ᴺӎᆚↆ὆ᢚẗ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ `ῶⵆ↮ᴸἮࢊᨆЀ὆ᢚẗ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ ῲᷛ`Ἢ၊῿תϮઓⵊ⫺Ὢ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ Ṧᕮᶾᤊ῿תⵆᷚ⹊᤟⹂Ϯઓⵊ⛢⯚ࣺ⪦ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ ӣἎᴲὢംᶾ὆ⵊ῿ת ᶢ⦣Ӫ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ῶ᫊ϲᏽ᢯⣊ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

ҫᾯ⁞ѢѮᢚ᫊῾Ӫᢚẗ᫊῾ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞  ૮၊ ᶢఆ↮ᴸἮᾚ֮ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ῶᶾ࿚⒆ᆚ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

Ḓᅆቂ᫊↮⦣ⵊ ᓢ०▊ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ Ḓᅆ᢯⹗ᶾ૮ⵊ⒆ᆚᕮᾚ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ῶ❂ೊⱶ↶ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

ࣾ⯚ὦ⤞ᷛ␦⁞ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ῶ⚏᩾⹂ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

ӣẗቂ᥺ೊ၊ᕮ⤞ᆚ⤢ఊQSJWBUFᐞᷢἎ⸃ⴲೊ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ QSJWBUFᐞᷢἎ⸃ⴲೊᶾӣẗ୞ὢ⤞ⵎ૧ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞ ᫊᪒⥊୞ὢ⤞ ᓢ৲▊ ⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞⾞

 ᾓẗᶢ ᆚᏽᵫᶢⱊ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

 ῶẗᶢ ᆚ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

 ῶᵫᶢⱊ ⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

⾞

ᕲᅆ

◖ᵫ῾ታ♛

Ỳⷆல

CWE-ID

έဓ୞ὢ⤞

Ѯ↋ᏽⱊⷲ

᢯૮ം࿷⤞ᆚҫ၊⁞὿

ᇒẞঀἺ

CWE-23

ῶ૮ം࿷⤞ᆚҫ၊⁞὿

ᇒẞঀἺ

CWE-36

API

ᴳẗ

null

ᇒЊᒮᨆᏦѮᢚ

ঀἺ

CWE-398

equals()ḮhashCode()

ⵆࢆᆺ ὆

ঀἺ

CWE-581

ᓢᴶ⪧᤟

؞Ꮾ ᓢ὆૖ᨊⵊ⤻᪒⪦ῲᦏ

ঀἺ

CWE-319

◖ᵫⵊᵂ⸦⹂ᴺӎᆚↆ὆ᢚẗ

ঀἺ

CWE-327

`ῶⵆ↮ᴸἮࢊᨆЀ὆ᢚẗ

ঀἺ

CWE-330

ῲᷛ`Ἢ၊῿תϮઓⵊ⫺Ὢ

ঀἺ

-Ṧᕮᶾᤊ῿תⵆᷚ⹊᤟⹂Ϯઓⵊ⛢⯚ࣺ⪦

ঀἺ

-ӣἎᴲὢംᶾ὆ⵊ῿ת ᶢ⦣Ӫ

ঀἺ

-᫊ϲᏽ᢯⣊

ҫᾯ⁞Ѣ:

Ѯᢚ᫊῾Ӫᢚẗ᫊῾

ঀἺ

CWE-367

 ૮၊ ᶢఆ↮ᴸἮᾚ֮

ঀἺ

CWE-674

ᶾ࿚⒆ᆚ

Ḓᅆቂ᫊↮⦣ⵊ ᓢ०▊

ঀἺ

CWE-209

Ḓᅆ᢯⹗ᶾ૮ⵊ⒆ᆚᕮᾚ

ঀἺ

CWE-390

❂ೊⱶ↶

ࣾ⯚ὦ⤞ᷛ␦⁞

ঀἺ

CWE-476

⚏᩾⹂

ӣẗቂ᥺ೊ၊ᕮ⤞ᆚ⤢ఊprivate

ᐞᷢ-Ἆ⸃ⴲೊ

ঀἺ

CWE-495

private

ᐞᷢ-Ἆ⸃ⴲೊᶾӣẗ୞ὢ⤞ⵎ૧

ঀἺ

CWE-496

᫊᪒⥊୞ὢ⤞ ᓢ৲▊

ঀἺ

CWE-497

1

ᾓ

Android-JAVA

Ⳳ၊צྖᓢᴶ◖ᵫ῾

1

ῶ έဓ୞ὢ⤞Ѯ↋ᏽⱊⷲ

ᢚẗ὾὆έဓἲѮ↋ᶴὢצ૮၊ᐉᴲ೒ᷚᢚẗⵆቢᆼἮᓢᴶỲⷿᶾ०▊ఆѺఊ૒. ⵢ૧ ᓢᴶ◖ᵫ῾ἲ ᷶ᐗⵆ؞ Ỳⵢᤊં Ἆ⺖ⵊ έဓ୞ὢ⤞ᆺ ⶶẗⵎ ᨆ ὶல။ ❂ഗⵆં ѱὢ ⁹Ἢ቞, ᕮೋὢⵊ ҫẞ έဓЀἲ Ѯ↋ⵆᷚ Ѯ↋ఊ ୞ὢ⤞ᆺ ⶶẗⵆல။ ❂ഗⵆᷚ ◖ᵫ῾ἲ  ўⵢᵪⵊ૒.

1.

᢯૮ം࿷⤞ᆚҫ၊⁞὿

(Relative Path Traversal)

Ϯ

.

 ὆

Ṧᕮ὆έဓἲ⦣ⵆᷚ“ം࿷⤞ᆚҫ၊ጦ὾ᷢ” ᣋ᤟ὢⴲẂⵊҫẞ, Ṧᕮέဓᶾᤊҫ၊⁞὿ ᶾᢚẗఎᨆὶંጦ὾ᅪⴲ⤞ᆯⵆ↮ᴸἪቢ, ᷶᢯ᐄ὆ᷯᷛᶾ૮ⵊҫ၊ጦ὾ᷢὢϮઓ ⵢ…᫊᪒⥊ ᓢ৲▊, ᤊᘲ᪒ᾓᵎ೟ἲἎᐊ᫊⢚ᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ Ṧᕮ὆έဓὢ↯῿⫺Ὢὢᅲἲᣋ᤟ⵆંᢚẗఎᨆᶴல။ⵊ૒. ᕶϮ⴪ⵆѺ↯῿ᢚẗ ⵆંҫẞ, ૒ᅦം࿷⤞ᆚ὆⫺Ὢἲ῿תⵎᨆᶴல။replaceAll() ೟὆ቂ᥺ೊᅪᢚẗⵆ ᷚỲⷆጦ὾ᷢ(",/,\)ἲ ўⵆંⴲ⤞ᅪў♆ல။ⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void f(Properties request) {

3: ……

4: String name = request.getProperty("filename");

5: if( name != null ) {

6: File file = new File("/usr/local/tmp/" + name);

7: file.delete();

8: }

9: ……

10: }

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void f(Properties request) {

3: ……

4: String name = request.getProperty("filename");

5: String dentry = "/usr/local/tmp";

6: if ( name != null && !"".equals(name) ) {

7: name = name.replaceAll("/", "");

8: name = name.replaceAll("\\", "");

9: name = name.replaceAll(".", " ");

10: name = name.replaceAll("&", " ");

11: name = name + "-report";

12: File file = new File(dentry + name);

13: if (file != null) file.delete();

14: }

15: ……

16: }

ṦᕮᶾᤊέဓఆંЀᶾ૮ⵆᷚNullᷚᕮᅪ⒢⡚ⵆӎ, Ṧᕮᶾᤊέဓఆં⫺Ὢὢᅲ(name)ᶾᤊ ᢯૮ҫ၊(/, \\, &, . ೟⪧ᨆጦ὾)ᅪᤒ ⵎᨆᶴல။replaceAllᅪὢẗⵆᷚ⪧ᨆጦ὾ᅪ  ўⵊ૒.

ཪ

.

␦ӎጦⶺ

[1] CWE-23 ᢯૮ം࿷⤞ᆚҫ၊⁞὿- http://cwe.mitre.org/data/definitions/23.html [2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference

2.

ῶ૮ം࿷⤞ᆚҫ၊⁞὿

(Absolute Path Traversal)

Ϯ

.

 ὆

Ṧᕮέဓὢ⫺Ὢ᫊᪒⥊ἲ⁞὿ⵆંҫ၊ᅪ↯῿ ᶢⵎᨆὶўࢆᷯⶓἲࡪ♆ቢỲⷆ ⵆ૒. ᢚẗ὾έဓὢ⫺Ὢ᫊᪒⥊὿ᶳᶾᢚẗఆંҫ၊ᅪ ᶢⵆંѱἲⶶẗⵆቢ, ӣҗ ὾ϮἿẗⳲ၊צྖᶾ♆ታ`ὦ᫊᪒⥊⫺Ὢ෾ંὪᐆ⫺Ὢἲ῿תⵆўࢆᒮҫⵎϮઓ᤟ ὢ⁢ᾚⵊ૒. ⅷ, ҫ၊⁞὿ἲ⦣ⵢᤊӣҗ὾Ϯⶶẗఆ↮ᴸἮպⵊἲ⹻ೋⵆᷚ, ᤒ ᶾӮ Ҳఊ⫺Ὢἲᒮҫⵎᨆὶўࢆ᫒⵷᫊⢚ᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ⫺ὪὢᅲἪ၊ᕮ⤞replaceAll ቂ᥺ೊᅪᢚẗⵆᷚỲⷆⵊጦ὾೒ἲ ўⵆўࢆ, ῶ૮ҫ၊ጦ ὾ᷢ⯚ⵖᷚᕮᅪѮᢚⵖἪ၊᭖ὲ὆὆ം࿷⤞ᆚᶾ῿תⵆ↮ኩⵆல။Ⳳ၊צྖἲ὿᤟ⵆ ંѱὢᐂེ↯ⵆ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: ¦¦¦¦super.onCreate(savedInstanceState);

4: ¦¦¦¦File file = new File(android.os.Environment.getExternalStorageDirectory(), "inputFile");

5: ¦¦¦¦try {

6: ¦¦¦¦¦¦¦¦¦InputStream is = new FileInputStream(file);

7: ¦¦¦¦¦¦¦¦¦Properties props = new Properties();

8: ¦¦¦¦¦¦¦¦props.load(is);

9: ¦¦¦¦¦¦¦¦¦String name = props.getProperty("filename");

10: ¦G ¦¦¦¦¦¦file = new File("/usr/local/tmp/" + name);

11: ¦¦G ¦¦¦¦¦¦file.delete();

12: ¦¦¦¦¦¦¦¦is.close();

13: ¦¦¦¦¦} catch (IOException e) {

14: ¦¦¦¦¦¦¦¦¦¦¦Log.w("Error", "", e);

15: ¦¦¦¦¦}

16: ¦}

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: super.onCreate(savedInstanceState);

4: ¦¦¦¦¦¦¦¦¦

5: File file = new File(android.os.Environment.getExternalStorageDirectory(), "inputFile");

6: try {

7: ¦¦¦¦¦¦¦¦InputStream is = new FileInputStream(file);

8: ¦¦¦¦¦¦¦¦Properties props = new Properties();

9: ¦¦¦¦¦¦¦¦props.load(is);

10: ¦¦¦¦¦¦¦¦String name = props.getProperty("filename");

11: ¦¦¦¦¦¦¦¦if (name.indexOf("/") <0) {

12: ¦¦¦¦¦¦¦¦G G Gfile = new File(name);

13: ¦¦¦¦¦¦¦¦G G Gfile.delete();

14: ¦¦¦¦¦}¦¦¦G

15: ¦G G G G ¦¦¦¦is.close();

16: ¦¦G ¦¦} catch (IOException e) {

17: ¦¦¦¦¦¦¦¦¦¦¦Log.w("Error", "", e);

18: ¦¦¦¦¦}

19: }

Ṧᕮ὆έဓὢ⫺ὪὢᅲἪ၊ᢚẗఎҫẞῶ૮ҫ၊ታὢᢚẗఆ↮ኩⵆல။, ጦ὾ᷢὢ"\" ෾ં"/"ἲ⯚ⵖⵆўࢆⵢ૧ጦ὾ᷢ၊᫊὿ⵎҫẞӮဖே὿ᨆ⵷ἲўᕮⵆંѱὢᐂེ ↯ⵆ૒.

ཪ

.

␦ӎጦⶺ

[1] CWE-36 ῶ૮ം࿷⤞ᆚҫ၊⁞὿- http://cwe.mitre.org/data/definitions/36.html [2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference

2

ῶ

API

ᴳẗ

API(Application Programming Interface)ં Ảᷯ⒢ Ḯ ἿẗⳲ၊צྖϲ὆ ⦣ᫎᶾ ᢚẗఆં ᶦᶢࢆቂ᫊↮⸃᫋෾ં׊ᵫἪ၊, ἿẗⳲ၊צྖЊᐊ᫊Њᐊ⮦ᆚ᤟ᏽ⺖἖᤟ἲ ӣⵆં ὢ῾ὢὶ૒. צ࿚ࢆAPI Ḓẗᏽ◖ᵫ῾ὢᴺဒ↲API὆ᢚẗἮЊᐊ⺖἖᤟ᏽἎ↮ᓢᨆ᤟὆ ΅ⵆᏽᓢᴶ᢯὆᫚ϯⵊỲⷿẂὦὢఎᨆὶ૒.

1. null

ᇒЊᒮᨆᏦѮᢚ

(Missing Check for Null Parameter)

Ϯ

.

 ὆

Java ⱊ⃮ᶾഞᅢቢObject.equals(), Comparable.compareTo() ᏽComparator.compare()὆ ՚ⷲἮᇒЊᒮᨆϮnullὦҫẞ↮ ఊЀἲᐆ⹆ⵢᵪⵊ૒. ὢᵫ᥻ἲഞᅢ↮ᴸἪቢ᷶ ؞♆ኩⵊே὿ὢᐊᣋⵎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ Object.equals(), Comparable.compareTo()ӪComparator.compare() ՚ⷲᶾᤊંᇒЊᒮᨆᅪ nullӪᘲԾⵢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: public void onCreate(Bundle savedInstanceState) {

2: ¦¦¦¦super.onCreate(savedInstanceState);

3: }

4: ¦¦

5: public boolean equals(Object object)

6: {

7: ¦¦¦¦¦return (toString().equals(object.toString()));

8: }

ᇒЊᒮᨆϮnullὦ↮Ѯᢚⵆ↮ᴸᵆ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: public void onCreate(Bundle savedInstanceState) {

2: ¦¦¦¦super.onCreate(savedInstanceState);

3: }

4: ¦¦

5: public boolean equals(Object object)

6: {

7: if(object != null)

8: ¦¦¦¦¦return (toString().equals(object.toString()));

9: else return false ;

ᇒЊᒮᨆϮnullὦ↮ሪ΅Ѯᢚⵊ૒.

ཪ

.

␦ӎጦⶺ

2. equals()

Ḯ

hashCode()

ⵆࢆᆺ ὆

(Object Model Violation: Just one of equals() and hashCode() Defined)

Ϯ

.

 ὆

Java ⱊ⃮ᶾഞᅢቢ, Java὆ЇἮЋ⒢ંЇἮⵢ᫊❂ೊᅪϮ…ᵪⵊ૒.

ⅷ"a.equals(b) == true"ὢቢ"a.hashCode() == b.hashCode()" ὢᶢᵪⵊ૒. ഞཪᤊⵊ⡢ ྆᪒ࢢᶾᤊequals()ḮhashCode()ંె૒՚ⷲⵆўࢆె૒՚ⷲⵆ↮ᴸᴲᵪⵊ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ⵊ⡢྆᪒ࢢᶾequals()ᅪ ὆ⵆቢhashCode()ல ὆ⵢᵪⵆӎhashCode()ᅪ ὆ⵆቢ equals()ல ὆ⵢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: ¦¦¦¦super.onCreate(savedInstanceState);

4: }

5: ¦¦

6: public boolean equals(Object obj) {

7: ¦¦¦¦if (obj == null)

8: ¦¦¦¦¦¦¦¦return false;

9: ¦¦¦¦int i1 = this.hashCode();

10: ¦¦¦¦int i2 = obj.hashCode();

11:

12: ¦¦¦¦if (i1 == i2)

13: ¦¦¦¦¦¦¦return true;

14: ¦¦¦¦else

15: ¦¦¦¦¦¦¦return false;

16: }

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: public boolean equals(Object obj) {

3: ¦¦¦¦if (obj == null)

4: ¦¦¦¦¦¦¦return false;

5: ¦¦¦¦int i1 = this.hashCode();

6: ¦¦¦¦int i2 = obj.hashCode();

7: ¦¦

8: ¦¦¦¦if (i1 == i2)

9: ¦¦¦¦¦¦¦¦return true;

10: ¦¦¦¦else

11: ¦¦¦¦¦¦¦¦return false;

12: }

13: public int hashCode() {

14: ¦¦¦¦return new HashCodeBuilder(17, 37).toHashCode();

15: }

equals()ḮhashCode() ኖా ὆ⵢᵪⵊ૒.

ཪ

.

␦ӎጦⶺ

3

ῶ ᓢᴶ⪧᤟

؞ᓦ`ὦᓢᴶ؞ઓἲ૒პഺંᤦ᫚ⵊ⃪὆ϮⴲẂⵆ૒. ᕮ`ῶⵊᓢᴶ⪧᤟὆ᢚẗἮḒ⽶ဒ ᤟ઓὢࢆᕮϮ`ὦጦ ᅪᕶ࿚Ḛᨆலὶ૒. ᓢᴶ⪧᤟ᶾંὦ↋, ῿ת ᶢ, ؞Ꮾ᤟, ᵂ⸦⹂, պⵊӮᆚ೟ὢ⯚ⵖఊ૒.

1.

؞Ꮾ ᓢ὆૖ᨊⵊ⤻᪒⪦ῲᦏ

(Cleartext Transmission of Sensitive Information)

Ϯ

.

 ὆

SWϮᓢᴶӪӮဖఊᏪϾⵊ୞ὢ⤞ᅪታᐟⵊ⤻᪒⪦὆⸃⣊၊⦣ᫎ␲ࣾἲ⦣ⵢᤊᓢࢢ ંҫẞ, ὦ↋ᐉ↮ᴸἮ⃪⒢ᶾ὆ⵢᤊ᪒શⴿὢὪᶢࢎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ᏪϾⵊ ᓢᅪ⦣ᫎ␲ࣾἲ⦣ⵆᷚࢢᓢࢪഺંᐆೊ᫊ᵂ⸦⹂Ӫ ἲўⒾᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: ¦¦int port = 443;

4: ¦¦String hostname = "hostname";

5: ¦¦Socket socket = new Socket(hostname, port);¦¦¦¦¦¦¦

6: ¦¦InputStream in = socket.getInputStream();

7: ¦OutputStream out = socket.getOutputStream();

8: ¦// Read from in and write to out...

9: ¦in.close();

10: ¦out.close();¦¦¦¦¦¦¦G

11: }

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: ¦¦int port = 443;

4: ¦¦String hostname = "hostname";

5: SocketFactory socketFactory = SSLSocketFactory.getDefault();

6: ¦¦GSocket socket = socketFactory.createSocket(hostname, , port);¦¦¦¦¦¦¦

7: ¦¦InputStream in = socket.getInputStream();

8: ¦GOutputStream out = socket.getOutputStream();

9: ¦G// Read from in and write to out...

10: ¦Gin.close();

11: ¦Gout.close();¦¦¦¦¦¦¦G

12: }

ᏪϾⵊ ᓢᅪऒ⪦Ẻ⡚ᅪ⦣ⵆᷚᤊᑲᶾῲᦏⵆ؞ῲᶾ╊᥺ⵊ128ᘲ⪦ئὢ὆⢒ᅪὢ ẗⵆᷚᵂ⸦⹂ⵆંѱὢᐂེ↯ⵆ૒.

ཪ

.

␦ӎጦⶺ

2.

◖ᵫⵊᵂ⸦⹂ᴺӎᆚↆ὆ᢚẗ

(Use of a Broken or Riscky Cryptographic Algorithm)

Ϯ

.

 ὆

ᓢᴶ`Ἢ၊◖ᵫⵆўࢆỲⷆⵊᵂ⸦⹂ᴺӎᆚↆἲᢚẗⵢᤊંᴶఊ૒. ⱊ⃮⹂ఆ↮ᵂ⸦⹂ ᴺӎᆚↆἲ ᢚẗⵆં ѱἮ ӣҗ὾Ϯ ᴺӎᆚↆἲ ᕲᤋⵆᷚ ጢဓ⹂᫊⢚ ᨆ ὶં Ϯઓ᤟ἲ ঀὪᨆலὶ૒. ትትḒ྆ఊᵂ⸦⹂ᴺӎᆚↆ὆ҫẞં⛢Ⳗ⤞὆᤟ઓὢⶓ᢯ఖᶾഞཪ ◖ᵫⵢ↮؞லⵢᤊ, ᷶ῲᶾંⵢளⵆં୞ት᫛ᶣलὢѦᆚ୆ᴺӎᆚↆὢ቞♎ὢࢆት᫊ ϲࢢᶾⵢளఆ؞லⵊ૒. RC2, RC4, RC5, RC6, MD4, MD5, SHA1, DES ᴺӎᆚↆὢᷚ؞ ᶾⵢ૧ఊ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ AES⒆࿪ᓢ૒Ѓဓⵊᵂ⸦⹂ᴺӎᆚↆἲᢚẗⵆંѱὢᐂེ↯ⵆ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: ……

2: public byte[] encrypt(byte[] msg, Key k) {

3: byte[] rslt = null;

4:

5: try {

6: // DES೟὆࢜Ἦᓢᴶᨆ⃮὆ᴺӎᆚↆἲᢚẗⵆંѱἮᴶῲⵆ↮ᴸ૒.

7: Cipher c = Cipher.getInstance("DES");

8: c.init(Cipher.ENCRYPT_MODE, k);

9: rslt = c.update(msg);

10: } catch (InvalidKeyException e) {

11: ……

12: }

13: return rslt;

14: }

15: }

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: public byte[] encrypt(byte[] msg, Key k) {

3: byte[] rslt = null;

4:

5: try {

6: // ࢜Ἦᓢᴶᨆ⃮὆DES ᴺӎᆚↆἲঀἮᓢᴶᨆ⃮὆AES ᴺӎᆚↆἪ၊૮⒢ⵊ૒.

7: Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");

8: c.init(Cipher.ENCRYPT_MODE, k);

9: rslt = c.update(msg);

10: } catch (InvalidKeyException e) {

11: ……

12: }

13: return rslt;

14: }

15: }

◖ᵫⵆ૒ӎᴺဒ↲ᴺӎᆚↆ૮ᫎAES ᴺӎᆚↆἲ╊᥺ⵊ128ᘲ⪦ئὢ὆⢒ᅪὢẗⵆᷚ ᢚẗⵆંѱὢᐂེ↯ⵆ૒.

ཪ

.

␦ӎጦⶺ

[1] CWE-327 ◖ᵫⵊᵂ⸦⹂ᴺӎᆚↆ὆ᢚẗ- http://cwe.mitre.org/data/definitions/327.html [2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage

[3] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 327 Use of a Broken or Risky Cryptographic Algorithm

3.

`ῶⵆ↮ᴸἮࢊᨆЀ὆ᢚẗ

(Use of Insufficiently Random Values)

Ϯ

.

 ὆

᷶☏ϮઓⵊࢊᨆᅪᢚẗⵆંѱἮ᫊᪒⥊ᶾ◖ᵫ῾ἲᵪ؞᫊⢖૒. ᷶☏ᕶϮઓⵊᨙ὾Ϯ ⴲẂⵊ᢯⹗ᶾᤊ᷶☏Ϯઓⵊࢊᨆᅪᢚẗⵊ૒ቢ, ӣҗ὾ંSWᶾᤊᣋ᤟ఆં૒Ἲᨙ὾ᅪ ᷶᢯ⵆ᫊ᷚ᪒⥊ἲӣҗⵆંѱὢϮઓⵆ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ࢊᨆᐊᣋ؞ᶾᤊseedᅪᢚẗⵆંҫẞᶾં᷶☏ⵆ؞ᶢဒẢᐗᒃἪ၊ᒮҫⵆᷚᢚẗⵆં ѱὢᐂེ↯ⵆ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: ……

2: public double roledice() {

3: return Math.random();

4: }

5: }

java.lang.Math ⡢྆᪒὆random() ቂ᥺ೊંseedᅪᾚᤒ ⵎᨆᶴ؞ഺጦᶾỲⷆⵆ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: import java.util.Random;

2: import java.util.Date;

3: ……

4: public int roledice() {

5: Random r = new Random();

6: // setSeed() ቂ᥺ೊᅪᢚẗⵢᤊrἲ᷶☏ᕶϮઓⵊlong⢮έἪ၊ᤒ ⵊ૒.

7: r.setSeed(new Date().getTime());

8: // ࢊᨆᣋ᤟

9: return (r.nextInt()%6) + 1;

10: }

11: }

java.util.Random ⡢྆᪒ંseedᅪᾚᤒ ⵆ↮ᴸᴲலᇒᑶ૒ᅦࢊᨆᅪᣋ᤟ⵊ૒. ഞཪᤊ Random ⡢྆᪒ᅪᢚẗⵆંѱὢᓢ૒ᴶῲⵆ૒.

ཪ

.

␦ӎጦⶺ

[1] CWE-330 `ῶⵆ↮ᴸἮࢊᨆЀ὆ᢚẗ- http://cwe.mitre.org/data/definitions/330.html [2] SANS Top 25 2009 - (SANS 2009) Porus Defense - CWE ID 330 Use of Insufficiently

Random Values

4.

ῲᷛ`Ἢ၊῿תϮઓⵊ⫺Ὢ

(Files under Global Access)

Ϯ

.

 ὆

⫺Ὢ ᣋ᤟᫊ ૒ᅦ ἿẗⳲ၊צྖὢ ῿תⵎ ᨆ ὶં ὦ὾Ѐ(MODE_WORLD_READABLE, MODE_WORLD_WRITABLE)ἲᢚẗⵎҫẞᓢᴶ᤟ὢࢆጢҞ᤟ὢ♖ⵢఎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ⫺Ὢᶾ૮ⵊ῿תպⵊἮ╊᥺ⵊἪ၊Ἆ↮ఆᶢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: public void onCreate(Bundle savedInstanceState) {

2: ¦¦¦¦super.onCreate(savedInstanceState);

3: ¦¦¦¦try {

4: ¦¦¦¦¦¦¦¦FileOutputStream fOut = openFileOutput("test", MODE_WORLD_READABLE);

5: ¦¦¦¦¦¦¦¦¦OutputStreamWriter out1 = new OutputStreamWriter(fOut);

6: ¦¦¦¦¦¦¦¦¦out1.write("Hello World");

7: ¦¦¦¦¦¦¦¦¦out1.close();

8: ¦¦¦¦¦¦¦¦¦fOut.close();

9: ¦¦¦¦¦} catch (Throwable t) {

10: ¦¦¦¦¦}

11: }

⫺Ὢ῿תպⵊἲMODE_WORLD_READABLEὢᎮ၊૒ᅦἿẗⳲ၊צྖὢ῿תⵎᨆὶ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: public void onCreate(Bundle savedInstanceState) {

2: ¦¦¦¦super.onCreate(savedInstanceState);

3: ¦¦¦¦try {

4: ¦¦G ¦¦¦¦¦¦FileOutputStream fOut = openFileOutput("test", MODE_PRIVATE);

5: ¦¦¦¦¦¦¦¦OutputStreamWriter out1 = new OutputStreamWriter(fOut);

6: ¦¦¦¦¦¦¦¦out1.write("Hello World");

7: ¦¦¦¦¦¦¦¦out1.close();

8: ¦¦¦¦¦¦¦¦fOut.close();

9: ¦¦¦¦} catch (Throwable t) {

10: ¦¦¦¦}

11: }

Ṧᕮᶾᤊ῿תⵎᨆᶴல။MODE_PRIVATE၊պⵊἲᤒ ⵆᷮ૒.

ཪ

.

␦ӎጦⶺ

[1] http://developer.android.com/index.html

5.

Ṧᕮᶾᤊ῿תⵆᷚ⹊᤟⹂Ϯઓⵊ⛢⯚ࣺ⪦

(Exported Access to Components)

Ϯ

.

 ὆

ᴶೊ၊ὢೊᵎ⳺ᆚ⛮ὢ᥆ᶾᤊmanifest.xml ⫺Ὢᶾandroid:exported="true"၊ᤒ ఆ ᶢ ὶં ⛢⯚ࣺ⪦ં Ṧᕮᶾᤊ ⵢ૧ ⛢⯚ࣺ⪦ᶾ ὦ⤾⪦ᅪ ῲ૚ⵆᷚ ⹊᤟⹂ ᫊⢚ ᨆ ὶ૒. ὢҫẞⵢ૧⛢⯚ࣺ⪦ϮẾ྆὆லⵆ↮ᴸᵆ୆᢯⹗ᶾᤊᨆ⵷ἲ᫊὿ⵖἪ၊᭖ ᫊᪒⥊ᓢᴶᶾ♖ⵢᅪϮ…Ḛᨆὶ૒. ෾ⵊὢ࿚ⵊ὿ᶳẂ⒛ἮேὪⵊὦ⤾⪦ⴲ⤞ᅪ ᢚẗⵆં⛢⯚ࣺ⪦Ϯᷚ࿚Њὦҫẞὦ⤾⪦ᅪཪẞ⫳ⵆંᆚ⁦ᑲ(resolver) ᵏ⫞ᘲ⫞ Ϯே὿ⵆѺఆӎᆚ⁦ᑲᵏ⫞ᘲ⫞ᅪ⦣ⵢཪẞ⫳ఆંὦ⤾⪦ંSystem ࿶ᒖᢚẗ὾պ ⵊἪ၊ᦏᫎ὾὆IDϮᐂߺᶢῲᦏఆᎮ၊ᓢᴶ♖ⵢ὆Ỳⷆὢ⛒↲૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ⛢⯚ࣺ⪦ᶾ૮ⵊ῿תպⵊἲṦᕮᶾ ӣⵆ↮ᴸἮѱὢᐂེ↯ⵆ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: <?xml version="1.0" encoding="utf-8"?>

2: <manifest xmlns:android="http://schemas.android.com/apk/res/android"

3: ¦¦¦¦package="com.example.android.samplesync" android:versionCode="1" an-droid:versionName="1.0">

4: ……

5: ¦<application android:icon="@drawable/icon" android:label="@string/label">

6: ¦¦¦¦¦<service android:name=".syncadapter.SyncService" android:exported="true">

7: ¦¦¦¦¦¦¦¦¦<intent-filter>

8: ¦¦¦¦¦¦¦¦¦¦¦¦¦<action android:name="android.content.SyncAdapter"/>

9: ¦¦¦¦¦¦¦¦¦</intent-filter>

10: ¦¦¦¦¦¦¦¦¦<meta-data android:name="android.content.SyncAdapter"

11: ¦¦¦¦¦¦¦¦¦¦¦¦¦android:resource="@xml/syncadapter"/>

12: ¦¦¦¦¦¦¦¦¦<meta-data android:name="android.provider.CONTACTS_STRUCTURE"

13: ¦¦¦¦¦¦¦¦¦¦¦¦¦android:resource="@xml/contacts"/>

14: ¦¦¦¦¦</service>

15: ¦</application>

16: ¦<uses-sdk android:minSdkVersion="5"/>

17: </manifest>

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: <?xml version="1.0" encoding="utf-8"?>

2: <manifest xmlns:android="http://schemas.android.com/apk/res/android"

3: ¦¦¦¦package="com.example.android.samplesync" android:versionCode="1" an-droid:versionName="1.0">

4: ……

5: ¦<application android:icon="@drawable/icon" android:label="@string/label">

6: ¦¦¦¦¦<service android:name=".syncadapter.SyncService" android:exported="false">

7: ¦¦¦¦¦¦¦¦¦<intent-filter>

8: ¦¦¦¦¦¦¦¦¦¦¦¦¦<action android:name="android.content.SyncAdapter"/>

9: ¦¦¦¦¦¦¦¦¦</intent-filter>

10: ¦¦¦¦¦¦¦¦¦<meta-data android:name="android.content.SyncAdapter"

11: ¦¦¦¦¦¦¦¦¦¦¦¦¦android:resource="@xml/syncadapter"/>

12: ¦¦¦¦¦¦¦¦¦<meta-data android:name="android.provider.CONTACTS_STRUCTURE"

13: ¦¦¦¦¦¦¦¦¦¦¦¦¦android:resource="@xml/contacts"/>

14: ¦¦¦¦¦</service>

15: ¦</application>

16: ¦<uses-sdk android:minSdkVersion="5"/>

17: </manifest>

android:exported ᥻᤟ἲ"false"၊ᤒ ⵆўࢆᤒ ἲ ўⵆቢⵢ૧᥻᤟ὢ"false"Ϯఆᶢ Ṧᕮ၊ᕮ⤞὆՚ேὢ␖૖ఊ૒.

ཪ

.

␦ӎጦⶺ

[1] http://developer.android.com/index.html

6.

ӣἎᴲὢംᶾ὆ⵊ῿ת ᶢ⦣Ӫ

(Access Control Bypass using Share User ID)

Ϯ

.

 ὆

Manifest.xml ⫺Ὢ὆manifest ⣊צᶾandroid:sharedUserId ᥻᤟ἲ ᤒ ⵎ ҫẞ ЇἮ ᴲὢംḮᤊታἲᢚẗⵖἪ၊᭖૒ᅦἿẗⳲ၊צྖὢⵢ૧Ⳳ၊צྖ὆ ᓢᅪ῿תⵎᨆ ὶѺఊ૒. ὢᅪ⦣ⵆᷚ὆ல`ᏽᘲ὆ல`Ἢ၊ⵢ૧Ⳳ၊צྖ὆ጢҞ᤟Ӫᓢᴶ᤟ὢ♖ ⵢఎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ӣἎᴲὢംᤒ ἲⵆ↮ᴸંѱὢᐂེ↯ⵆ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: ……

2: <manifest xmlns:android="http://schemas.android.com/apk/res/android"

3: ¦¦¦¦¦¦¦¦package="com.example.android.apis"¦

4: ¦¦¦¦android:versionCode="1"¦

5: ¦¦¦¦android:versionName="1.0"¦

6: ¦¦¦¦android:sharedUserId="android.uid.developer1">

Manifest.xml ⫺Ὢ὆manifest ⣊צᶾandroid:sharedUserId ᥻᤟ἲ ᤒ ⵆӎ ὶᶢ ЇἮ sharedUserId ⣊צЀӪἿẗⳲ၊צྖᤊታἲϮ↲૒ᅦἿẗⳲ၊צྖὢὢⳲ၊צྖ὆ኖ ೎୞ὢ⤞ᶾ῿תⵎᨆὶ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: ……

2: <manifest xmlns:android="http://schemas.android.com/apk/res/android"

3: ¦¦¦¦¦¦¦¦package="com.example.android.apis"¦

4: ¦¦¦¦android:versionCode="1"¦

5: ¦¦¦¦android:versionName="1.0">

6: <!-- android:sharedUserId="android.uid.developer1" ᢛ ⵊ૒. -->¦G

Manifest.xml ⫺Ὢ὆manifest ⣊צᶾandroid:sharedUserId ᥻᤟ἲᤒ ⵆ↮ᴸᴲᵪ, ᴲὢം ӣἎ၊ὦⵊ୞ὢ⤞὆Ἆ▊ὢࢆᕮ`ῶⵊ῿תỲⷆἲᐗ↮ⵎᨆὶ૒.

ཪ

.

␦ӎጦⶺ

[1] http://developer.android.com/index.html

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: public class UA367 extends Activity {

2: @override

3: ¦¦¦public void onCreate(Bundle savedInstanceState) {

4: ¦¦¦¦¦¦¦¦super.onCreate(savedInstanceState);

5: ¦G ¦¦¦¦¦¦¦¦¦¦¦¦FileAccessThread fileAccessThread = new FileAccessThread();

6: ¦¦¦¦¦¦¦¦¦¦¦¦¦¦FileDeleteThread fileDeleteThread = new FileDeleteThread();

7: ¦¦¦¦¦¦¦¦¦¦¦¦¦¦fileAccessThread.start();

8: ¦¦¦¦¦¦¦¦¦¦¦¦¦¦fileDeleteThread.start();

9: ¦¦¦¦}

10: }

11: ¦¦

12: class FileAccessThread extends Thread {

13: public void run() {

14: try {

15: File f = new File("Test_367.txt");

16: if (f.exists()) { // ᆺᵫ⫺Ὢὢ⁢ᾚⵆቢ⫺ὪࢢẗἲὫἺ

17: BufferedReader br = new BufferedReader(new FileReader(f));

18: br.close();

19: }

20: } catch(FileNotFoundException e) {

21: System.out.println("Exception Occurred") ; //᷶Ṧ⒆ᆚ

4

ῶ ᫊ϲᏽ᢯⣊

᫊ϲӪ ᢯⣊ᶾ ૮ⵊ ◖ᵫ῾ὢ཮ Ⳳ၊צྖ὆ ே὿ Ӫ ᶾᤊ ᫊ϲ` Њाἲ ⯚ⵖⵊ Њा (Ⳳ၊ᤦ᪒⸧Ἦ᪒࿶ೊ೟)ὢࢆ᫊᪒⥊᢯⣊ᶾ૮ⵊ ᓢ(὾Ếᾎ׶ὢࢆᤦ᥆ ᓢ)ᶾӮဖఊ ◖ᵫ῾ἲ ᆾⵊ૒. ὢ࿚ⵊ ◖ᵫ῾ᶾ ᥻ⵆં ѱ೒၊ં ୞ೊཫ(dead lock)ὢࢆ, ὾Ếᶾ ૮ⵊ ҫᾯ⁞Ѣ, ෾ંᤦ᥆ӎ␗೟ἲ೒ᨆὶ૒.

1.

ҫᾯ⁞Ѣ

:

Ѯᢚ᫊῾Ӫᢚẗ᫊῾

(Time-of-check Time-of-use (TOCTOU) Race Condition)

Ϯ

.

 ὆

ᒿယ᫒⵷⹆ҫ὆ἿẗⳲ၊צྖᶾᤊં὾Ếἲᢚẗⵆ؞ῲᶾ὾Ế὆᢯⣊ᅪѮᢚⵊ૒. צ ࿚ࢆ὾Ếἲᢚẗⵆં᫊῾ᶾ὾Ế὆᢯⣊ϮᒮⵆંҫẞϮὶ૒. ὢѱἪ၊ὦⵢⳲ၊צྖ ᶾᷚ࿚Ϯ↮ጦ , ⅷԾ␗᢯⣊, ҫᾯ⁞Ѣᏽ؞⢮ே؞⹂Ḓᅆ೟ὢᐊᣋⵎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ӣἎ὾Ế(᷶: ⫺Ὢ)ἲᷚ࿚᪒࿶ೊϮ῿תⵆᷚᢚẗⵎҫẞ, ே؞⹂՚ጦἲὢẗⵆᷚⵊ ᑶᶾⵆࢆ὆᪒࿶ೊᆺ῿תϮઓⵆல။Ⳳ၊צྖἲ὿᤟ⵆᷚᵪⵊ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: public class SA367 extends Activity¦G{

2: ¦¦¦¦public void onCreate(Bundle savedInstanceState) {

3: ¦¦¦¦super.onCreate(savedInstanceState);

4: ¦¦¦¦¦¦

5: ¦¦¦¦FileAccessThread fileAccess = new FileAccessThread();

6: ¦¦¦¦Thread first = new Thread(fileAccess);

7: ¦¦¦¦Thread second = new Thread(fileAccess);

8: ¦¦¦¦Thread third = new Thread(fileAccess);

9: ¦¦¦¦Thread fourth = new Thread(fileAccess);

10: ¦¦¦¦first.start();

11: ¦¦¦¦second.start();

12: ¦¦¦¦third.start();

13: ¦¦¦¦fourth.start();

14: ¦¦¦¦}

15: }

16: ¦¦

17: class FileAccessThread implements Runnable {¦¦¦¦G

18: ¦¦¦¦public synchronized void run() {¦¦¦¦¦¦¦¦G

22: } catch(IOException e) {

23: System.out.println("Exception Occurred") ; //᷶Ṧ⒆ᆚ

24: }

25: }

26:

27: class FileDeleteThread extends Thread {

28: public void run() {

29: try {

30: File f = new File("Test_367.txt");

31: if (f.exists()) { // ᆺᵫ⫺Ὢὢ⁢ᾚⵆቢ⫺Ὢἲᢛ ⵖ

32: f.delete();

33: }

34: } catch(FileNotFoundException e) {

35: System.out.println("Exception Occurred") ; //᷶Ṧ⒆ᆚ

36: } catch(IOException e) {

37: System.out.println("Exception Occurred") ; //᷶Ṧ⒆ᆚ

38: }

39: }

40: }

19: ¦¦¦¦G Gtry {¦¦¦¦¦¦¦¦¦¦¦G

20: ¦¦¦¦¦¦¦¦File f = new File("Test.txt");¦¦¦¦¦¦¦¦¦¦G

21: ¦¦¦¦¦¦¦¦if (f.exists()) { // ᆺᵫ⫺Ὢὢ⁢ᾚⵆቢ⫺ὪࢢẗἲὫἺ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦G

22: ¦¦¦¦¦¦¦¦G G GThread.sleep(100);¦¦¦¦¦G// ᫊ϲὢ᥺Ẃఆં὿ᶳἲϮ ⵖ¦¦¦¦¦¦¦¦¦G

23: ¦¦¦¦¦¦¦¦G G GBufferedReader br = new BufferedReader(new FileReader(f));

24: ¦¦¦¦¦¦¦¦System.out.println(br.readLine());¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦G

25: ¦¦¦G G G ¦¦¦¦¦br.close();¦¦¦¦¦¦¦¦¦¦¦¦G// ⫺ὪࢢẗἲኖాὫἮ⺲ᢛ 

26: ¦¦¦¦¦¦G G G ¦¦f.delete();¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦G

27: ¦¦¦¦¦¦G ¦}

28: ¦¦¦¦G G} catch (IOException e) {¦¦¦// ᷶Ṧ⒆ᆚ

29: ¦¦¦¦¦¦¦¦¦¦¦¦System.err.println("IOException occured");

30: ¦¦¦¦G G}¦G

31: ¦¦¦¦}¦G

32: }¦¦

ӣἎ὾Ế(᷶ᅪ೒ᶢ, ⫺Ὢ)ἲᷚ࿚᪒࿶ೊϮ῿תⵆᷚᢚẗⵎҫẞ, ே؞⹂՚ጦἲὢẗⵆ ᷚⵊᑶᶾⵆࢆ὆᪒࿶ೊᆺ῿תϮઓⵆல။ᒮҫⵊ૒.

ཪ

.

␦ӎጦⶺ

2.

 ૮၊ ᶢఆ↮ᴸἮᾚ֮

(Uncontrolled Recursion)

Ϯ

.

 ὆

ᾚ֮὆ᨊ⹆⺍ᨆᅪ ᶢⵆ↮ኩⵆᷚⵎ૧ఊቂኖᆚࢆⳲ၊צྖ᪒⣋೟὆὾ẾἲӪ૒ⵆѺ ᢚẗⵆቢỲⷆⵆ૒. ૮ᕮᕲ὆ҫẞ, ֮ࢗ⁞Ѣ(base case)ὢᶴંᾚ֮ંጢⵊᾚ֮ᶾᙎ↲૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ጢⵊᾚ֮ᅪᐗ↮ⵆ؞Ỳⵆᷚኖ೎ᾚ֮⸦▊ἲ⁞Ѣጦᘂ࿛ὢࢆᐆᓣጦᘂ࿛ᴶᶾᤊᆺ ᨆ⵷ⵢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: ……

2: public int factorial(int n) {

3: // ᾚ֮⸦▊ὢ⁞Ѣጦ/ᐆᓣጦᘂ࿛ṦᕮᶾᤊὪᶢࢆቢ૮ᕮᕲጢⵊᾚ֮ᅪἎᐊⵊ૒.

4: return n * factorial(n - 1);

5: }

ᾚ֮`Ἢ၊  ὆ఆં ⵖᨆ὆ ҫẞ, ᾚ֮ ⸦▊ὢ ⁞Ѣጦ/ᐆᓣጦ ᘂ࿛ Ṧᕮᶾᤊ Ὢᶢࢆቢ ૮ᕮᕲጢⵊᾚ֮ᅪἎᐊⵊ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: public int factorial(int n) {

3: int i;

4: // ኖ೎ᾚ֮⸦▊Ἦ⁞Ѣጦὢࢆᐆᓣጦᘂ࿛ᴶᶾᤊὢზᶢ…ᵪⵊ૒.

5: if (n == 1) {

6: i = 1;

7: } else {

8: i = n * factorial(n - 1);

9: }

10: return i;

11: }

ኖ೎ ᾚ֮ ⸦▊Ἦ ⁞Ѣጦὢࢆ ᐆᓣጦ ᘂ࿛ ᴶᶾᤊ ᨆ⵷ⵆӎ `ῶⵊ ֮ࢗ⁞Ѣ ᤒ Ӫ ὦᨆ὆ᨆဢᷚᕮᅪ⹃ὦⵢᵪⵊ૒.

ཪ

.

␦ӎጦⶺ

5

ῶ ᶾ࿚⒆ᆚ

 ᢯`ὦᶾ࿚ંᢚῲᶾ ὆ఊ᷶Ṧᢚⵛὢ⪧ ⁞Ѣᶾᤊᐊᣋⵆંᶾ࿚ὢ቞, ᘲ ᢯`ὦᶾ࿚ં ᢚῲᶾ ὆ఆ↮ᴸἮ᢯⹗ᶾᤊᐊᣋⵆંᶾ࿚ὢ૒. Њᐊ὾ં ᢯`ὢўࢆᘲ ᢯`ὦᶾ࿚ᐊᣋᶾ ૮ᘲⵊᴶῲⵊᶾ࿚⒆ᆚზ⫢ἲᢚῲᶾ ὆ⵆӎ՚ⷲⵖἪ၊᭖ᶾ࿚⒆ᆚӪ ⃿ᶾᐊᣋⵎᨆὶં ᓢᴶỲⷿἲᢚῲᶾᐗ↮ⵎᨆὶ૒. ᶾ࿚ᅪ▗ᕲⵆѺ(෾ંῲⷮ) ⒆ᆚⵆ↮ᴸἲഺ⸧Ἦᶾ࿚ቂ᫊↮ᶾ ӪலⵆѺᆼἮ ᓢᅪ⯚ⵖⵆᷚὢᅪӣҗ὾Ϯᴳẗⵎᨆὶἲഺᓢᵫ◖ᵫ῾ὢᐊᣋⵎᨆὶ૒.

1.

Ḓᅆቂ᫊↮⦣ⵊ ᓢ०▊

(Information exposure through an error message)

Ϯ

.

 ὆

SW὆Ḓᅆቂ᫊↮ᅪ⦣ⵢ⹆ҫ, ᢚẗ὾, Ӯဖ୞ὢ⤞೟Ⳳ၊צྖࢢᕮ ᓢϮἎ▊ఎᨆὶ૒. ᷶၊, ᷶Ṧᐊᣋ᫊᷶Ṧὢᅲὢࢆ᪒⣋⪦࿶ὢ᪒ᅪ▊ဓⵆቢⳲ၊צྖࢢᕮ՚⁞ᅪᩫѺ⫺ᴳⵎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ╊⁳ᢚẗ὾ᶾѺᐞ⯚ఆંSWᶾᤊંࢢᕮ՚⁞ࢆӣҗ὾ᶾ⹊ẗఎᨆὶંᏪϾⵊ ᓢ ᅪḒᅆቂ᫊↮၊▊ဓⵆ↮ᆾᴲᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: super.onCreate(savedInstanceState);

4: try{ throw new IOException(); }

5: catch (IOException e) { e.printStackTrace(); }

6: }

᷶Ṧὢᅲὢࢆ᪒⣋⪦࿶ὢ᪒ᅪ▊ဓⵆቢⳲ၊צྖࢢᕮ ᓢϮἎ▊ఊ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void onCreate(Bundle savedInstanceState) {

3: super.onCreate(savedInstanceState);

4: try{

5: throw new IOException();

6: }

7: catch (IOException e) { System.out.println("᷶Ṧᐊᣋ"); }

8: }

᷶Ṧὢᅲὢࢆ᪒⣋⪦࿶ὢ᪒ᅪ▊ဓⵆ↮ᴸં૒.

ཪ

.

␦ӎጦⶺ

2.

Ḓᅆ᢯⹗ᶾ૮ⵊ⒆ᆚᕮᾚ

(Detection of Error Condition Without Action)

Ϯ

.

 ὆

Ḓᅆં⯚␗⵶ἪࢆצḒᅆᶾ૮ⵢᤊᴲጢ⁞♆லⵆ↮ᴸἪቢ, צ᢯⣊ᶾᤊҲ᥻Ⳳ၊צ ྖὢ᫒⵷ఆᎮ၊Њᐊ὾Ϯ὆லⵆ↮ᴸἮҞӪᅪ⓶྆ⵊ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ᷶Ṧ෾ંḒᅆᅪ⯚␗(catch)ⵊҫẞצѱᶾ૮ⵊ`ῶⵊ⒆ᆚᅪⵢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: private Connection conn;

3:

4: public Connection DBConnect(String url, String id, String password) {

5: try {

6: String CONNECT_STRING = url + ":" + id + ":" + password;

7: InitialContext ctx = new InitialContext();

8: DataSource datasource = (DataSource) ctx.lookup(CONNECT_STRING);

9: conn = datasource.getConnection();

10: } catch (SQLException e) {

11: // catch ᘂ။ὢᘲᶢὶἺ

12: } catch (NamingException e) {

13: // catch ᘂ။ὢᘲᶢὶἺ

14: }

15: return conn;

16: }

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: private Connection conn;

3:

4: public Connection DBConnect(String url, String id, String password) {

5: try {

6: String CONNECT_STRING = url + ":" + id + ":" + password;

7: InitialContext ctx = new InitialContext();

8: DataSource datasource = (DataSource) ctx.lookup(CONNECT_STRING);

9: conn = datasource.getConnection();

10: } catch (SQLException e) {

11: // Exception catchὢ⺲Exceptionᶾ૮ⵊ`ῶⵊ⒆ᆚᅪⵢᵪⵊ૒.

12: if ( conn != null ) {

13: try {

14: conn.close();

15: } catch (SQLException e1) {

16: conn = null;

17: }

18: }

19: } catch (NamingException e) {

20: // Exception catchὢ⺲Exceptionᶾ૮ⵊ`ῶⵊ⒆ᆚᅪⵢᵪⵊ૒.

21: if ( conn != null ) {

22: try {

23: conn.close();

24: } catch (SQLException e1) {

25: conn = null;

26: }

27: }

28: }

29: return conn;

30: }

᷶Ṧᅪ⯚␗(catch)ⵊ⺲, ϯϯ὆᷶Ṧᢚⵛ(Exception)ᶾ૮ⵆᷚ`ῶⵆѺ⒆ᆚⵢᵪⵊ૒.

ཪ

.

␦ӎጦⶺ

6

ῶ ❂ೊⱶ↶

὿᤟ḲႺఊⳲ၊צྖἮ؞ઓ᤟, ᫎ႞᤟, ᢚẗ᤟, Ἆ↮ᓢᨆ᤟, ⺖἖᤟, ὢ᫋᤟೟ἲ▗ ⵆ؞ Ỳⵆᷚ Ὢ  ᨆ⃮ᶾ ❂ೊⱶ↶ἲ Ἆ↮ⵆᷚᵪ ⵊ૒. Ⳳ၊צྖ ❂ೊϮ ࣶጢ ᓣᾏⵆቢ Ӯᆚ᤟, Ἆ↮ᓢᨆ᤟, Ϯள᤟ὢ ඖᶢ↶ ើ ᴲશཪ ૒ᅦ ᫊᪒⥊ᶾ ὢ᫋ⵆ؞ல ⾆೒቞, Ⳳ၊צྖᶾં ᴶῲ᤟ἲỲⷿⵎ◖ᵫ῾೒ὢ❂ೊᴶᶾᨖҖ…ὶἲϮઓ᤟ὢὶ૒.

1.

ࣾ⯚ὦ⤞ᷛ␦⁞

(NULL Pointer Dereference)

Ϯ

.

 ὆

ࣾ⯚ὦ⤞ᷛ␦⁞ં'Ὢᐆ`Ἢ၊צЋ⒢ϮNULLὢఎᨆᶴ૒'ཪӎⵆંϮ ἲỲᐆ⵶ ἲഺᐊᣋⵊ૒. ӣҗ὾Ϯ὆ல`Ἢ၊NULL ⯚ὦ⤞ᷛ␦⁞ᅪ᫒⵷ⵆંҫẞ, צҞӪᐊ ᣋⵆં᷶Ṧᢚⵛἲὢẗⵆᷚ▂⺲὆ӣҗἲҲ⹻ⵆં୞ᢚẗఎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ࿶⭪࿞᪒(reference)ᶾ૮ⵊnullЀᷚᕮᅪѮᢚⵆᷚᴶῲⵊҫẞᶾᆺᢚẗⵢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: ……

2: public void f(boolean b) {

3: String cmd = System.getProperty("cmd");

4: // cmdϮnullὦ↮⒢⡚ⵆ↮ᴸᵆ૒.

5: cmd = cmd.trim();

6: System.out.println(cmd);

7: ……

Ỳ᷶ ં"cmd" ᥻᤟ὢⵛ᢯ ὆ఆᶢὶ૒ӎϮ ⵆӎὶ↮ᆺ, ӣҗ὾Ϯ"cmd" ᥻᤟ἲ ⁞὿ⵆቢ, cmdંnullὢఆӎtrim() ቂ᥺ೊ⸦▊᫊ࣾ⯚ὦ⤞᷶ṦϮᐊᣋⵆѺఊ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: ……

2: public void f(boolean b) {

3: String cmd = System.getProperty("cmd");

4: // cmdϮnullὦ↮⒢⡚ⵆᷚᵪⵊ૒.

5: if (cmd != null) { md = cmd.trim();

6: System.out.println(cmd);

7: } else System.out.println("null command");

8: ……

ሪ΅cmdϮࣾὦ↮Ѯᢚⵊ⺲ᶾᢚẗⵊ૒.

ཪ

.

␦ӎጦⶺ

7

ῶ ⚏᩾⹂

᥺Ⳳ⪦ỖᶢϮ ⃿Ẃⵊ ୞ὢ⤞ࢆ ؞ઓ᤟ἲ ᕶ▗ᕲⵆѺ ⚏᩾⹂ ⵆં ҫẞ, ὦϮఊ ୞ὢ⤞Ḯ ὦϮఆ↮ᴸἮ୞ὢ⤞ᅪ՚ᕲⵆ↮ኩⵆѺఆᶢⶶẗఆ↮ᴸંᢚẗ὾೒ϲ὆୞ὢ⤞৲▊ὢ Ϯઓⵢ↲૒. ⚏᩾⹂ં૖ᨊ⽶Ὢᐆ᥺Ⳳ⪦ỖᶢЊᐊᐗᒃ᢯὆᢯ᤦⵊ՚ⷲࢢẗἲϾ▂ંὪ ើᴲશཪ᥺Ⳳ⪦Ỗᶢᓢᴶ☏ቢ὆ୂँἮ὆Ꮶ၊ᢚẗఊ૒.

1.

ӣẗቂ᥺ೊ၊ᕮ⤞ᆚ⤢ఊ

private

ᐞᷢ

-

Ἆ⸃ⴲೊ

(Private Array-Typed Field Returned From A Public Method)

Ϯ

.

 ὆

private၊ᤎᶦఊᐞᷢἲpublicἪ၊ᤎᶦఊቂ᥺ೊᅪ⦣ⵢᐆ⹆(return)ⵆቢ, צᐞᷢ὆࿶ ⭪࿞᪒ϮṦᕮᶾӣЊఆᶢṦᕮᶾᤊᐞᷢ὆ᨆ ⵎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ private၊ᤎᶦఊᐞᷢἲpublicἪ၊ᤎᶦఊቂ᥺ೊᅪ⦣ⵢᐆ⹆ⵆ↮ᴸல။ⵢᵪⵊ૒. ⴲẂⵊҫẞᐞᷢ὆ᓣ ᓦἲᐆ⹆ⵆўࢆ, ᒲல὆public ቂ᥺ೊᅪᤎᶦⵆᷚᢚẗⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: // private ὦᐞᷢἲpublicὦቂ᥺ೊϮreturnⵊ૒

2: private String[] colors;

3: public String[] getColors() { return colors; }

ቒᑲᒮᨆcolorsંprivate၊ᤎᶦఆᶶ↮ᆺpublicἪ၊ᤎᶦఊgetColors() ቂ᥺ೊᅪ⦣ⵢ referenceᅪᶩἲᨆὶ૒. ὢᅪ⦣ⵢ὆லⵆ↮ᴸἮᨆ ὢᐊᣋⵎᨆὶ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA 1: private String[] colors;

2: // ቂ᥺ೊᅪprivateἪ၊ⵆўࢆ, ᓣ ᓦᐆ⹆, ᨆ ⵆંpublic ቂ᥺ೊᅪᒲல၊ᆺ೎૒.

3: public void onCreate(Bundle savedInstanceState) {

4: super.onCreate(savedInstanceState);

5: String[] newColors = getColors();

6: }

7: public String[] getColors() {

8: String[] ret = null;

9: if ( this.colors != null ) {

10: ret = new String[colors.length];

11: for (int i = 0; i < colors.length; i++) { ret[i] = this.colors[i]; }

12: }

13: return ret;

private ᐞᷢ὆ᓣ ᓦἲᆺ೒ᶢᤊ, צѱἲᐆ⹆ⵆல။὿᤟ⵆቢprivate ᤎᶦఊᐞᷢᶾ૮ ⵊ὆லⵆ↮ᴸἮᨆ ἲᐗ↮ⵎᨆὶ૒.

ཪ

.

␦ӎጦⶺ

2. private

ᐞᷢ

-

Ἆ⸃ⴲೊᶾӣẗ୞ὢ⤞ⵎ૧

(Public Data Assigned to Private Array-Typed Field)

Ϯ

.

 ὆

publicἪ၊ᤎᶦఊ୞ὢ⤞෾ંቂ᥺ೊ὆ὦ὾Ϯprivate ᤎᶦఊᐞᷢᶾ΅ᾓఆቢ, private ᐞᷢἲṦᕮᶾᤊ῿תⵎᨆὶ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ publicἪ၊ᤎᶦఊ୞ὢ⤞Ϯprivate ᤎᶦఊᐞᷢᶾ΅ᾓఆ↮ᴸல။ⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA 1: ……

2: // userRoles ⴲೊંprivateὢ↮ᆺ, publicὦsetUserRoles()ᅪ⦣ⵢṦᕮ὆ᐞᷢὢⵎ૧ఆቢ,

ᢚ᫒᢯public ⴲೊϮఊ૒.

3: private String[] userRoles;

4:

5: public void setUserRoles(String[] userRoles) {

6: this.userRoles = userRoles;

7: }

8: ……

userRoles ⴲೊંprivateὢ↮ᆺ, publicὦsetUserRoles()ᅪ⦣ⵢṦᕮ὆ᐞᷢὢⵎ૧ఆቢ, ᢚ᫒᢯public ⴲೊϮఊ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: ……

2: // Ћ⒢Ϯ⡢྆᪒὆private memberᅪᨆ ⵆ↮ᴸல။ⵊ૒.

3: private String[] userRoles;

4:

5: public void setUserRoles(String[] userRoles) {

6: this.userRoles = new String[userRoles.length];

7: for (int i = 0; i < userRoles.length; ++i)

8: this.userRoles[i] = userRoles[i];

9: }

10: ……

έဓఊᐞᷢ὆referenceϮᴲ઺, ᐞᷢ὆"Ѐ"ἲprivate ᐞᷢ὆ⵎ૧ⵖἪ၊᭖private ቒᑲ ၊ᤊ὆῿תպⵊἲἎ↮᫊✊⃮૒.

ཪ

.

␦ӎጦⶺ

3.

᫊᪒⥊୞ὢ⤞ ᓢ৲▊

(Information Leak of System Data)

Ϯ

.

 ὆

᫊᪒⥊὆ࢢᕮ୞ὢ⤞ࢆംᑲسӮဖ ᓢϮӣЊఆቢ, ὢᅪ⦣ⵢӣҗ὾ᶾѺᴲὢംᶢᅪ  ӣⵆં೟ӣҗ὆ᘺᏦϮఊ૒.

ࢆ

.

ᴶῲⵊ❂ഗ؞ᒃ

▪ ംᑲسἲỲⵢ὿᤟ⵊ᫊᪒⥊ ᓢ▊ဓ❂ೊᅪኖాᢛ ⵢᵪⵊ૒.

૒

.

᷶ 

■ ᴶῲⵆ↮ᴸἮ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void f() {

3: try { g(); }

4: catch (IOException e) {

5: // ᷶Ṧᐊᣋ᫊printf(e.getMessage())ᅪ⦣ⵢḒᅆቂ᫊↮ ᓢϮἎ▊ఊ૒.

6: System.err.printf(e.getMessage());

7: }

8: }

9: private void g() throws IOException { …… }

10: ……

᷶Ṧᐊᣋ᫊getMessage()ᅪ⦣ⵢḒᅆḮӮဖఊ᫊᪒⥊ᶾ࿚ ᓢ೟ᏪϾⵊ ᓢϮἎ▊ ఎᨆὶ૒.

■ ᴶῲⵊ❂ೊ὆᷶- Android-JAVA

1: ……

2: public void f() {

3: try { g(); }

4: catch (IOException e) {

5: // end userϮᓪᨆὶંḒᅆቂ᫊↮ ᓢᅪᣋ᤟ⵆ↮ᴸᴲᵪⵊ૒.

6: System.err.println("IOException Occured");

7: }

8: }

9: private void g() throws IOException { …… }

10: ……

Ϯ׷`ὢቢӣҗ὆ᘺᏦϮఎᨆὶંḒᅆḮӮဖఊ᢯ᤦⵊ ᓢં╊⁳ᢚẗ὾ᶾѺ० ▊ⵆ↮ᴸં૒.

ཪ

.

␦ӎጦⶺ

2

ᾓ ẗᶢ ᆚᏽᵫᶢⱊ

1

ῶ ẗᶢ ᆚ

▪ Advanced Encryption Standard (AES) : Ꮶ՛ ᕮⱊ⃮Ἢ၊↮ ఊᘂ။ᵂ⸦⸃᫋Ἢ၊ ὢῲ὆ DESᅪ૮⒢ⵆ቞, Ꮶ՛ⱊ⃮؞ᨎᷞ՚᥺(NIST)Ϯ5ल὆ⱊ⃮⹂Ӫ ἲўⒾ2001 ल11Ểᶾᷞᐗ ᓢ⒆ᆚⱊ⃮(FIPS 197)Ἢ၊ᐊⱊⵆᷮ૒.

▪ DES ᴺӎᆚↆ : DES(Data Encryption Standard)ᵂ⸦ંᵂ⸦⹂⢒Ḯᓣ⸦⹂⢒ϮЇἮ ૮♛⢒ ᵂ⸦၊ὢᵂ⸦ં૮♛ᘂ။ᵂ⸦၊ᤊ⮷ጦ὆ϯᘂ။὆ئὢϮ64ᘲ⪦ὢӎ, ⢒ Ϯ64ᘲ⪦ὢ቞, ᵂ⸦ጦὢ64ᘲ⪦ὦᵂ⸦ὢ૒. ῲᨆӣҗ(Brute Force)ӣҗᶾ὆ⵢᤊⵢளఆ ᶶ૒.

▪ Manifest ⫺Ὢ : ᴶೊ၊ὢೊẗᶢ⳺ᆚ⛮ὢ᥆὆պⵊ, ᆚ᥺᪒ᢚẗ೟ἲ ὆ⵊXML ጦᤊ

2

2

ῶ ᵫᶢⱊ

▪ ACL : Access Control List

▪ AES : Advanced Encryption Standard ▪ CSRF : Cross-Site Request Forgery ▪ CWE : Common Weakness Enumeration ▪ DES : Data Encryption Standard ▪ ESAPI : Enterprise Security API ▪ HTML : Hyper Text Markup Language

▪ HTTPS : Hypertext Transfer Protocol over Secure Socket Layer ▪ JAAS : Java Authentication and Authorization Service

▪ JDBC : Java Database Connectivity

▪ LDAP : Lightweight Directory Access Protocol ▪ MSB : Most Significant Bit

▪ OAEP : Optimal Asymmetric Encryption Padding ▪ OWASP : Open Web Application Security Project ▪ RSA : Ron Rivest, Adi Shamir, Leonard Adleman ▪ SHA : Secure Hash Algorithm

순번

제

․

개정일

변경 내용

비고

1

2

0

1

1

.6

.2

1

[

제정

]

SW

개발보안 가이드

V1

.

0

2

2

0

1

1

.8

.2

5

[

개정

]

o‘

붙임

3

.Andr

oi

d-

J

AVA

시큐어코딩 가이드

’

․

(

p.

2

)‘

상대디렉터리 경로 조작

’

에 대한

‘

안전한

소스코드 예제

’

수정

․

(

p.

1

5

)'

외부에서 접근하여 활성화 가능한 컴포넌

트

'

의

‘

가

.

정의

’

수정

V1

.

1

Andr

oi

d-

J

AVA

시큐어 코딩 가이드

201

1

년

6

월 초판 인쇄

201

1

년

6

월 초판 발행

201

1

년

9

월

2

판 인쇄

201

1

년

9

월

2

판 발행

발행처

행정안전부

(

ht

t

p:

//www.

mopa

s

.

go.

kr

)

인쇄처

한올

(

Te

l

:02-

227

9-

8494

)

<

비매품

>

□

본 보고서의 내용과 관련한 문의는 아래로 해 주시기 바랍니다

.

※

행정안전부

홈페이지

www.

mopas

.

go.

kr

대표전화

02

)2100

-

3633,29

27

※

한국인터넷진흥원