Skip to content

AL

Isolated Storage is no guarantee of security

During code reviews and the analysis of partner apps, I have often noticed that centralized "Isolated Storage Management” codeunits are created which have getter and setter procedures. This is certainly nice from a code structuring point of view, but from a security point of view it's a nightmare.

The AppSourceCop gives an indication of the security problem:

AppSourceCop Warning AS0081 - InternalsVisibleTo should not be used as a security feature.

The InternalsVisibleTo setting will expose your internal objects to any extension with the given name, publisher, and ID. Access modifiers are not designed to be used as a security boundary, but for API development.

Source

This message is unfortunately ignored far too often, but it is really important!