Skip to content

Latest commit

 

History

History
105 lines (86 loc) · 7.77 KB

mitigations.md

File metadata and controls

105 lines (86 loc) · 7.77 KB

Mitigation Strategies Analysis for permissions-dispatcher/permissionsdispatcher

Mitigation Strategy: Rigorous Permission Request Justification and Review (PermissionsDispatcher-Specific)

  • Description:

    1. Documentation: For each permission requested using @NeedsPermission, developers must create a justification document.
    2. Justification Content: The document must include:
      • Necessity: Why the permission is essential for the feature.
      • Data Access: What specific data is accessed.
      • Data Usage: How the accessed data is used.
      • Data Protection: How the accessed data is protected.
      • Denial Handling: What happens if the permission is denied.
    3. Code Review Process:
      • Mandatory Check: Reviewers must verify the justification document for every @NeedsPermission.
      • Alignment Verification: Reviewers must ensure code uses the permission as described.
      • Challenge Requests: Reviewers should challenge any seemingly excessive requests.
      • Annotation Check: Verify correct usage of all PermissionsDispatcher annotations: @NeedsPermission, @OnShowRationale, @OnPermissionDenied, and @OnNeverAskAgain. This is crucial for ensuring the library is used as intended.

  • Threats Mitigated:

    • Over-Granting of Permissions (Principle of Least Privilege Violation): Severity: High. Directly addresses this by forcing justification of every @NeedsPermission.
    • Data Exposure: Severity: High. By linking data access/usage to @NeedsPermission, it prevents misuse.
    • Incorrect Annotation Usage: Severity: Medium. The annotation check ensures PermissionsDispatcher is used correctly, preventing logic errors.

  • Impact:

    • Over-Granting of Permissions: Significantly reduces risk by requiring justification for each @NeedsPermission.
    • Data Exposure: Reduces risk by ensuring transparency tied directly to PermissionsDispatcher usage.
    • Incorrect Annotation Usage: Prevents errors arising from misusing PermissionsDispatcher's core functionality.

  • Currently Implemented:

    • Partially. Justification documents are required for new features, but a retrospective review is needed. Code reviews include a permission check, but the annotation check needs to be more rigorous.

  • Missing Implementation:

    • Comprehensive review of all existing @NeedsPermission annotations.
    • Formal training on creating justifications and using PermissionsDispatcher annotations correctly.
    • Update code review checklist to explicitly include verification of all relevant annotations.

Mitigation Strategy: Graceful Degradation and Comprehensive Denial Handling (PermissionsDispatcher-Specific)

  • Description:

    1. @OnPermissionDenied Implementation:
      • User-Friendly Messages: @OnPermissionDenied methods must provide clear explanations.
      • Alternative Functionality: Offer alternatives if possible, without the denied permission.
      • No Crashes or Freezes: The app must never crash due to a denial.
      • No Sensitive Data Leakage: Error messages must not leak information.
      • No Bypassing: Code must not try to circumvent the denial handled by PermissionsDispatcher.
    2. @OnNeverAskAgain Implementation:
      • Settings Guidance: @OnNeverAskAgain methods must guide users to re-enable permissions in settings.
      • Avoid Nagging: Do not repeatedly prompt after "Never Ask Again."
    3. Testing (PermissionsDispatcher-Focused):
      • Denial Simulation: Create UI/integration tests simulating all denial scenarios handled by PermissionsDispatcher (both "Deny" and "Never Ask Again").
      • All Flows Tested: Test all code paths affected by PermissionsDispatcher's denial handling.

  • Threats Mitigated:

    • Poor User Experience: Severity: Medium. Directly addresses user experience when PermissionsDispatcher denies a request.
    • Application Instability: Severity: High. Prevents crashes caused by unhandled denials within PermissionsDispatcher's generated code.
    • Information Disclosure: Severity: Medium. Prevents leaks through error messages in @OnPermissionDenied.
    • Incorrect OnNeverAskAgain Handling: Severity: Medium. Ensures correct behavior when the user permanently denies a permission.

  • Impact:

    • Poor User Experience: Improves experience by providing clear explanations within PermissionsDispatcher's flow.
    • Application Instability: Eliminates crashes related to PermissionsDispatcher's denial handling.
    • Information Disclosure: Reduces leaks within @OnPermissionDenied methods.
    • Incorrect OnNeverAskAgain Handling: Ensures correct and respectful handling of permanent denials.

  • Currently Implemented:

    • Partially. @OnPermissionDenied methods exist, but consistency needs improvement. @OnNeverAskAgain handling is inconsistent. Basic denial testing exists, but not comprehensive for all PermissionsDispatcher scenarios.

  • Missing Implementation:

    • Review and refactor all @OnPermissionDenied and @OnNeverAskAgain methods.
    • Comprehensive automated tests covering all PermissionsDispatcher denial scenarios.
    • Implement alternative functionality where feasible.

Mitigation Strategy: Clear and Concise Rationales (PermissionsDispatcher-Specific)

  • Description:

    1. @OnShowRationale Content:
      • Plain Language: Rationales (in @OnShowRationale) must be clear and non-technical.
      • Honest and Accurate: Accurately explain why the permission is needed.
      • Specific to the Feature: Tailor the rationale to the feature using the permission.
      • User-Centric: Focus on user benefits.
      • No Manipulation: Avoid coercive language.
    2. Review Process:
      • Rationale Text Review: Code reviews must check the rationale text in @OnShowRationale.
      • User Perspective: Evaluate from a non-technical user's viewpoint.
    3. Testing (PermissionsDispatcher-Focused):
      • UI Testing: Verify the rationale (from @OnShowRationale) is displayed correctly and is interactive.

  • Threats Mitigated:

    • User Mistrust: Severity: Medium. Builds trust through transparent explanations within PermissionsDispatcher's rationale flow.
    • Low Permission Grant Rate: Severity: Medium. Improves grant rates by making the request understandable.
    • Incorrect Rationale Handling: Severity: Medium. Ensures the @OnShowRationale method functions as intended.

  • Impact:

    • User Mistrust: Reduces mistrust by providing clear explanations via @OnShowRationale.
    • Low Permission Grant Rate: Improves grant rates by making the request clearer.
    • Incorrect Rationale Handling: Prevents issues with the rationale presentation managed by PermissionsDispatcher.

  • Currently Implemented:

    • Partially. @OnShowRationale methods are used, but rationale quality varies.

  • Missing Implementation:

    • Review and refactor all @OnShowRationale methods.
    • Establish guidelines for writing effective rationales.
    • Expand UI testing of rationale presentation (specifically testing PermissionsDispatcher's output).