diff --git a/libwvdrmengine/cdm/src/file_store.cpp b/libwvdrmengine/cdm/src/file_store.cpp
index 131ebe5e..ceb906e2 100644
--- a/libwvdrmengine/cdm/src/file_store.cpp
+++ b/libwvdrmengine/cdm/src/file_store.cpp
@@ -48,6 +48,8 @@ File::~File() {
 bool File::Open(const std::string& name, int flags) {
   std::string open_flags;
 
+  // ensure only owners has access
+  mode_t old_mask = umask(077);
   if (((flags & File::kTruncate) && Exists(name)) ||
       ((flags & File::kCreate) && !Exists(name))) {
     FILE* fp = fopen(name.c_str(), "w+");
@@ -67,6 +69,7 @@ bool File::Open(const std::string& name, int flags) {
     LOGW("File::Open: fopen failed: %d", errno);
   }
   impl_->file_path_ = name;
+  umask(old_mask);
   return impl_->file_ != NULL;
 }
 
@@ -253,7 +256,7 @@ bool File::CreateDirectory(std::string path) {
   size_t pos = path.find(kDirectoryDelimiter, 1);
   while (pos < size) {
     path[pos] = '\0';
-    if (mkdir(path.c_str(), 0775) != 0) {
+    if (mkdir(path.c_str(), 0700) != 0) {
       if (errno != EEXIST) {
         LOGW("File::CreateDirectory: mkdir failed: %d\n", errno);
         return false;
@@ -264,7 +267,7 @@ bool File::CreateDirectory(std::string path) {
   }
 
   if (path[size - 1] != kDirectoryDelimiter) {
-    if (mkdir(path.c_str(), 0775) != 0) {
+    if (mkdir(path.c_str(), 0700) != 0) {
       if (errno != EEXIST) {
         LOGW("File::CreateDirectory: mkdir failed: %d\n", errno);
         return false;