RFAnalyzer icon indicating copy to clipboard operation
RFAnalyzer copied to clipboard

Published 20 hours ago verified publisher icon demantz

Check & request operation missing before using Environment.getExternalStorageDirectory()

Open aper-project opened this issue 3 years ago • 0 comments

Issue description

Hi, in RFAnalyzer v1.13, we found a dangerous API usage (https://github.com/demantz/RFAnalyzer/blob/master/app/src/main/java/com/mantz_it/rfanalyzer/MainActivity.java#L118) which requires Manifest.permission.WRITE_EXTERNAL_STORAGE in accordance to the Android official documentation (https://developer.android.com/reference/android/os/Environment?hl=en#getExternalStorageDirectory()).

However, it seems that it missed the “check” and “request” operation in the following call chain starting from the MainActivity.onCreate(Bundle savedInstanceState) activity if permission is not granted.

CALLCHAIN:
	com.mantz_it.rfanalyzer.MainActivity.onCreate(android.os.Bundle)void
	 android.os.Environment.getExternalStorageDirectory()java.io.File

This may lead to a SecurityException or related functions unavailable if the user denies the storage permission but still calls the API in this chain, resulting in bad user experience.

@demantz Could you help me review this issue? Thx

aper-project avatar Jul 31 '20 06:07 aper-project