ANDROID STATIC ANALYSIS : Preference flagged as world-writable inspite of being package-private

[diveshpincha]

ENVIRONMENT

OS and Version: Darwin (darwin 23.4.0) macOS-14.4.1-arm64-arm-64bit
Python Version: 3.10
MobSF Version: Mobile Security Framework v3.9.8 Beta

EXPLANATION OF THE ISSUE

The issue happens only when obfuscation ( code shrinking in particular ) is enabled. Even though the Context.private is used for Android shared preference initialisation , MOBsf flags it as world-writable. 
Using -dontshrink in proguard rules removed the warning. 

Even upon clickin viewFiles , the report takes us to the flagged line , where the visibility is set as 0 only. ( 0 being private, while 1 is world-writable )

STEPS TO REPRODUCE THE ISSUE

1. The preference is being flagged from a library we use , which also has C++ files in it. Nothing else is peculiar about it. 
2. When minify is enabled with shrinking the preferences are flagged as world writeable inspite of the value being 0 ( private )

[github-actions]

👋 @diveshpincha
Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[ajinabraham]

Please use slack for support.