Validate Your File Inputs, Please
Some apps, and some devices, rely on the “magic file” or “magic directory” approach for finding files for input. They basically monitor some particular path on external storage (or, for devices, perhaps removable storage). When the magic file shows up, or a file is added to the magic directory, the app or device assumes that the file is something the user wants to be applied, and so the app or device reads in the file and does something with it automatically.
This is risky.
In particular, if an attacker can convince something else to write
a file to the magic location, the attacker can arrange for any file to
be consumed by the app or device. This can be almost trivial for an
attacker to arrange if a poor choice of magic location is used
Downloads directory on external storage, where browsers
often write files).
Monitoring a magic location itself is not great, particularly if you
use CPU- or RAM-wasting means to do so (e.g., long-running service
FileObserver). But, at minimum, do not automatically do something
with the file. Instead, display a
Notification or otherwise get
confirmation from the user, on the device, before proceeding.
Also, if the file to be consumed is a ZIP archive, please unpack it safely. This is particularly true for those of you using the multidex backport or other forms of dynamic classpath manipulation, as an attacker can inject malicious code into your app via a carefully-crafted ZIP file that you carelessly unpack.