Android

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 4

changes.mady.by.user Yozo TODA

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: revised according to [cjl1]

...

MovatwiTouch, a Twitter client application, used a content provider to manage Twitter’s consumer key, consumer secret, and access token. However, the content provider was made public, which enabled applications installed on users’ devices to access this sensitive information.

Code indicating that the content provider has been published follows.The following entry in the AndroidManifest.xml does not have android:exported attribute, which means, before API Level 16, the content provider is made public:

AndroidManifest.xml

...

Code Block
<provider android:name=".content.AccountProvider" android:authorities="jp.co.vulnerable.accountprovider" />

...

Android Secure Coding Guidebook by JSSEC[cjl3] 

4.3. Creating/Using a Content Provider (2013/4/1 edition)
4.3.1.1. Creating/Using a private content provider
4.3.1.3. Creating/Using a partner-limited content provider (white listing)
4.3.1.4. Creating/Using a private content provider (signature permission)
4.3.1.5. Creating/Using a temporary content provider
4.3.2.1. Never create a content provider to be used only within the app for Android 2.2 (API Level 8) and before
4.3.2.2. Never publish a content provider which is intended to be used only within the application
4.3.2.4. Verify signature permission before use

    [cjl1]I think this should be “The following entry in the AndroidManifest.xml file will indicate whether the content provider has been published:”

 [cjl2]Does the following code need an introductory sentence? Is this heading descriptive enough?

 [cjl3]I cannot find Android Secure Coding Guidebook, but it needs to be added to the references and a citation used here ([JSSEC year])