Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The ContentProvider class provides a mechanism for managing and sharing data with other applications. When sharing a provider’s data with other apps, access control should be carefully implemented to prohibit unauthorized access to your sensitive data.

There are three ways to limit access to your the content provider:

  • Public
  • Private
  • Restricted access

Public

By specifying the android:exported attribute in the AndroidManifest.xml file, a content provider is made public to other applications. For Android applications before API Level 16, a content provider is public unless explicitly specified android:exported="false". For example,

...

If a content provider is to be made public, the data stored in a provider may be accessed from other applications. Therefore, it should be designed to handle only nonsensitive information.

Private

You can make your provider private by specifying the android:exported attribute in the AndroidManifest.xml file. From API Level 17 and later, a content provider is private if you do not specify the attribute explicitly. For example,

...

If you do not need to share a content provider with other applications, it should be declared android:exported="false" in the manifest file. Note, however, in API Level 8 and earlier, even if you explicitly declare android:exported="false", your content provider is accessible from other apps.

Restricted Access

<<@TODO: flesh out more details, write these rules.>>

Noncompliant Code Example

MovatwiTouch, a Twitter client application, used a content provider to manage Twitter’s consumer key, consumer secret, and access token. However, the content provider was made public, which enabled applications installed on users’ devices to access this sensitive information.

Code indicating that the content provider has been published follows.The following entry in the AndroidManifest.xml does not have the android:exported attribute, which means, before API Level 16, the content provider is made public:

AndroidManifest.xml

...

Code Block
bgColor#FFCCCC
<provider android:name=".content.AccountProvider" android:authorities="jp.co.vulnerable.accountprovider" />

Proof of Concept

...

The following code shows how this could be exploited: 

Code Block
// check whether movatwi is installed.
try {
  ApplicationInfo info = getPackageManager().getApplicationInfo("jp.co.vulnerable", 0);[cjl5] 
} catch (NameNotFoundException e) {
  Log.w(TAG, "the app is not installed.");
  return;
}
// extract account data through content provider
Uri uri = Uri.parse("content://jp.co.vulnerable.accountprovider");
Cursor cur = getContentResolver().query(uri, null, null, null, null);[cjl6] 
StringBuilder sb = new StringBuilder();
if (cur != null) {
  int ri = 0;
  while (cur.moveToNext()) {
    ++ri;
    Log.i(TAG, String.format("row[%d]:", ri));
    sb.setLength(0);
    for (int i = 0; i < cur.getColumnCount(); ++i) {
      String column = cur.getColumnName(i);
      String value = cur.getString(i);
      if (value != null) {
        value = value.replaceAll("[\r\n]", "");
      }
      Log.i(TAG, String.format("\t%s:\t%s", column, value));
    }
  }
} else {
  Log.i(TAG, "Can't get the app information.");
}

 

Compliant Solution

The following entry in the AndroidManifest.xml file makes the content provider private so that other apps cannot access its the data:

Code Block
bgColor#CCCCFF
<provider android:name=".content.AccountProvider" android:exported="false" android:authorities="jp.co.vulnerable.accountprovider" />

Risk Assessment

Declaring a public content provider can leak sensitive information to malicious apps.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD01-J

medium

probable

low

P18

L1

Automated Detection

It is trivial to automatically detect when a content provider is declared public.

Related Vulnerabilities

Related Guidelines

Android Application Secure Design / Secure Coding Guidebook by JSSEC[cjl3] 

4.3. Creating/Using a Content Provider (2013/4/1 edition)using content providers
4.3.1.1. Creating/Using a using private content providerproviders
4.3.1.3. Creating/Using a using partner -limited content provider (white listing)content providers
4.3.1.4. Creating/Using a private content provider (signature permission)using in-house content providers
4.3.1.5. Creating/Using a using temporary permit content providerproviders
4.3.2.1. Never create a content provider to be used only within the app for Android Content provider that Is used only in an application cannot be created in android 2.2 (API Level 8) and beforeor earlier
4.3.2.2. Never publish a content provider which is intended to be used only within the applicationContent provider that is used only in an application must be set as private
4.3.2.4. Verify signature permission before useUse an in-house defined signature permission after verifying that it is defined by an in-house application

Bibliography

[JSSEC 2014]

 4.3. Creating/Using a Content Provider (2013/4/1 edition)


Image AddedImage AddedImage Added

Image Removed   Image Removed

 [cjl1]I think this should be “The following entry in the AndroidManifest.xml file will indicate whether the content provider has been published:”

 [cjl2]Does the following code need an introductory sentence? Is this heading descriptive enough?

 [cjl3]I cannot find Android Secure Coding Guidebook, but it needs to be added to the references and a citation used here ([JSSEC year])