Android

Space shortcuts

Page tree

Versions Compared

Old Version 17

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version 18

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: a test checker

...

If you do not need to share a content provider with other applications, it should be declared android:exported="false" in the manifest file. Note, however, in API Level 8 and earlier, even if you explicitly declare android:exported="false", your content provider is accessible from other apps.

Restricted Access

<<@TODO: flesh out more details, write these rules.>>

Noncompliant Code Example

...

The following code shows how this could be exploited:

Code Block
// check whether movatwi is installed.
try {
  ApplicationInfo info = getPackageManager().getApplicationInfo("jp.co.vulnerable", 0);[cjl5] 
} catch (NameNotFoundException e) {
  Log.w(TAG, "the app is not installed.");
  return;
}
// extract account data through content provider
Uri uri = Uri.parse("content://jp.co.vulnerable.accountprovider");
Cursor cur = getContentResolver().query(uri, null, null, null, null);[cjl6] 
StringBuilder sb = new StringBuilder();
if (cur != null) {
  int ri = 0;
  while (cur.moveToNext()) {
    ++ri;
    Log.i(TAG, String.format("row[%d]:", ri));
    sb.setLength(0);
    for (int i = 0; i < cur.getColumnCount(); ++i) {
      String column = cur.getColumnName(i);
      String value = cur.getString(i);
      if (value != null) {
        value = value.replaceAll("[\r\n]", "");
      }
      Log.i(TAG, String.format("\t%s:\t%s", column, value));
    }
  }
} else {
  Log.i(TAG, "Can't get the app information.");
}

 


Compliant Solution

The following entry in the AndroidManifest.xml file makes the content provider private so that other apps cannot access the data:

...

Declaring a public content provider can leak sensitive information to malicious apps.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD01-J

medium

probable

low

P18

L1

Automated Detection

Automated Detection

...

Tool

Version

Checker

Description

CodeSonar

Include Page
CodeSonar_V
CodeSonar_V

TEST.CHECKER

A Test Checker

Related Vulnerabilities

  • JVN#90289505 Content provider in MovatwiTouch fails to restrict access permissions

Related Guidelines

Android Application Secure Design / Secure Coding Guidebook by JSSEC

4.3. Creating/using content providers
4.3.1.1. Creating/using private content providers
4.3.1.3. Creating/using partner content providers
4.3.1.4. Creating/using in-house content providers
4.3.1.5. Creating/using temporary permit content providers
4.3.2.1. Content provider that Is used only in an application cannot be created in android 2.2 (API Level 8) or earlier
4.3.2.2. Content provider that is used only in an application must be set as private
4.3.2.4. Use an in-house defined signature permission after verifying that it is defined by an in-house application

Bibliography

[JSSEC 2014]

 4.3. Creating/Using a Content Provider (2013/4/1 edition)