[FIXED] External Storage vulnerability in xamarin


The security scan report showing message as:
The mobile application can access external storage (e.g. SD card) in read or write mode. The application’s data stored on the external data storage may be accessed by other applications (including malicious ones) under certain conditions and bring risks of data corruption or tampering.
We have using below below code:

            var directory = global::Android.OS.Environment.ExternalStorageDirectory.AbsolutePath;
            directory = Path.Combine(directory, Android.OS.Environment.DirectoryDownloads);
            string file = Path.Combine(directory.ToString(), WebUtility.UrlEncode(customWebView.Uri));

            var documentsPath =System.Environment.GetFolderPath(System.Environment.SpecialFolder.Personal);
            var filePath1 = Path.Combine(documentsPath, WebUtility.UrlEncode(customWebView.Uri));


<application android:label="TL" android:allowBackup="false" android:icon="@drawable/app_icon" android:requestLegacyExternalStorage="true">
    <meta-data android:name="com.google.android.maps.v2.API_KEY" android:value="AIzaSyDVTkBTiMl0e2KhzJcuCibAoykSSGEEm6E" />
    <meta-data android:name="com.google.android.gms.version" android:value="@integer/google_play_services_version" />
    <receiver android:name="com.google.firebase.iid.FirebaseInstanceIdInternalReceiver" android:exported="false" />
    <receiver android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver" android:exported="true" android:permission="com.google.android.c2dm.permission.SEND">

Please help sortout this issue


You are using Public external files.
Public files are files that exist on external storage that are not stored in the directory that Android allocates for private files. Public files will not be deleted when the app is uninstalled.

You can try to use Private external files.

Private external files are considered to be specific to an application (similar to internal files) but are being kept on external storage for any number of reasons (such as being too large for internal storage). Similar to internal files, these files will be deleted when the app is uninstalled by the user.
The primary location for private external files is found by calling the method:

Android.Content.Context.GetExternalFilesDir(string type).

You can also use directory DirectoryDownloads(PRIVATE_EXTERNAL_STORAGE/Download) .

For more details, you can check : Private external files.

Answered By – Jessie Zhang -MSFT

Answer Checked By – Willingham (Easybugfix Volunteer)

Leave a Reply

(*) Required, Your email will not be published