SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 20 rules found
android
    Impact
      Clean code attribute
        1. Processing persistent unique identifiers is security-sensitive

           Security Hotspot
        2. Exposing native code through JavaScript interfaces is security-sensitive

           Security Hotspot
        3. Bluetooth should be configured to use low power

           Code Smell
        4. Motion Sensor should not use gyroscope

           Code Smell
        5. Use Fused Location to optimize battery power

           Code Smell
        6. High frame rates should not be used

           Code Smell
        7. Exact alarms should not be abused

           Code Smell
        8. Proper Sensor Resource Management

           Code Smell
        9. Components should not be vulnerable to intent redirection

           Vulnerability
        10. Enabling file access for WebViews is security-sensitive

           Security Hotspot
        11. Enabling JavaScript support for WebViews is security-sensitive

           Security Hotspot
        12. Mobile database encryption keys should not be disclosed

           Vulnerability
        13. Using biometric authentication without a cryptographic solution is security-sensitive

           Security Hotspot
        14. Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

           Security Hotspot
        15. Using clear-text protocols is security-sensitive

           Security Hotspot
        16. Accessing Android external storage is security-sensitive

           Security Hotspot
        17. Receiving intents is security-sensitive

           Security Hotspot
        18. Broadcasting intents is security-sensitive

           Security Hotspot
        19. Database queries should not be vulnerable to injection attacks

           Vulnerability
        20. URIs should not be hardcoded

           Code Smell

        Accessing Android external storage is security-sensitive

        intentionality - complete
        security
        Security Hotspot
        • cwe
        • android

        Storing data locally is a common task for mobile applications. Such data includes files among other things. One convenient way to store files is to use the external file storage which usually offers a larger amount of disc space compared to internal storage.

        Files created on the external storage are globally readable and writable. Therefore, a malicious application having the permissions WRITE_EXTERNAL_STORAGE or READ_EXTERNAL_STORAGE could try to read sensitive information from the files that other applications have stored on the external storage.

        External storage can also be removed by the user (e.g. when based on SD card) making the files unavailable to the application.

        Ask Yourself Whether

        Your application uses external storage to:

        • store files that contain sensitive data.
        • store files that are not meant to be shared with other application.
        • store files that are critical for the application to work.

        There is a risk if you answered yes to any of those questions.

        Recommended Secure Coding Practices

        • Use internal storage whenever possible as the system prevents other apps from accessing this location.
        • Only use external storage if you need to share non-sensitive files with other applications.
        • If your application has to use the external storage to store sensitive data, make sure it encrypts the files using EncryptedFile.
        • Data coming from external storage should always be considered untrusted and should be validated.
        • As some external storage can be removed, make sure to never store files on it that are critical for the usability of your application.

        Sensitive Code Example

        import android.content.Context;
        
        public class AccessExternalFiles {
        
            public void accessFiles(Context context) {
                context.getExternalFilesDir(null); // Sensitive
            }
        }
        

        Compliant Solution

        import android.content.Context;
        
        public class AccessExternalFiles {
        
            public void accessFiles(Context context) {
                context.getFilesDir();
            }
        }
        

        See

        • OWASP - Top 10 2021 Category A4 - Insecure Design
        • Android Security tips on external file storage
        • OWASP - Mobile AppSec Verification Standard - Data Storage and Privacy Requirements
        • OWASP - Mobile Top 10 2016 Category M2 - Insecure Data Storage
        • OWASP - Mobile Top 10 2024 Category M9 - Insecure Data Storage
        • CWE - CWE-312 - Cleartext Storage of Sensitive Information
          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.1
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use