diff --git a/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.qhelp b/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.qhelp index c9f65115f23..09431702008 100644 --- a/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.qhelp +++ b/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.qhelp @@ -4,30 +4,29 @@

- Android allows an application to install an APK (Android package kit) + Android allows an application to install an Android Package Kit (APK) using an Intent with the "application/vnd.android.package-archive" MIME type. If the file used in the Intent is from a location that is not - controlled by the application (for example, the SD card which is - universally writable), this can result in the installation of an - application which was not intended. + controlled by the application (for example, an SD card that is + universally writable), this can result in the unintended installation of untrusted applications.

- It is advised to transition to install packages using + You should install packages using the PackageInstaller class.

- If installation from a file is necessary, it is best to use + If you need to install from a file, you should use a FileProvider. Content providers can provide more specific permissions than file system permissions can.

- When your application does not require installing packages, do not add + When your application does not require package installations, do not add the REQUEST_INSTALL_PACKAGES permission in the manifest file.

@@ -36,21 +35,21 @@

In the following (bad) example, the package is installed from a file which - may be altered by another application. + may be altered by another application:

In the following (good) example, the package is installed by using - a FileProvider. + a FileProvider:

In the following (good) example, the package is installed using an - instance of the android.content.pm.PackageInstaller class. + instance of the android.content.pm.PackageInstaller class: