Identifying Content Provider Security Flaws

One of the most common security vulnerabilities in Android is unprotected content providers. Content providers are an elegant method by which Android makes data available to applications. Android it’s self has providers for a variety of internal data such as contacts, SMS, photo’s etc. It’s straight-forward for developers to create their own contact providers and indeed I recommend doing so. Unfortunately, the default settings result in the content provider data being completely unprotected.

In previous posts Identifying Android Security Vulnerabilities with the Mercury Assessment Framework I examined the installation and configuration of the Mercury security assessment framework. Here, I’m exploring explore what it takes to find a vulnerability with a content provider.

The first step is to get a list of all of the installed packages.

run app.package.list

This gives a long list of all the installed packages on the device under test. I’ve just shown the last few here:

com.example.android.livecubes
com.example.android.lunarlander
com.example.android.softkeyboard
com.ltree.expenses
com.ltree.phonegap
com.mwr.droidhg.agent
com.svox.pico
com.wwdev.mindgame
com.wwdev.mindgame.test
jp.co.omronsoft.openwnn

I’ve highlighted one in particular that interests me which is the com.ltree.expenses package.

Next: does the provider use any content providers

Let’s investigate com.ltree.expenses a little further and see it it is using any content providers. The module app.provider.finduri searches a package looking for references to content providers.

run app.provider.finduri
               com.ltree.expenses

The results clearly show that the app is using the content providers show below:

/data/app/com.ltree.expenses-1.apk:
content://com.ltree.expenses.expenses/expenses
content://com.ltree.expenses.expenses/expenses/

Try to exploit the content provider

We can now use app.provider.query to query the content provider

run app.provider.query
             content://com.ltree.expenses.expenses/expenses/

Which returns:

| amount | _id | incurred      | description |
| 777    | 1   | 1358726400000 | test ex     |

Immediately, we can see a problem. Without any permissions at all being granted to the Mercury Agent application, it was able to retrieve data from the content provider.

This is unfortunately, a very common vulnerability and frustratingly, very simple to fix.

To prevent data being accessed by unauthorised applications,the developer should modify the application manifest to either declare that the content provider is not exported:

[sourcecode language=”xml” highlight=”3″]
<provider android:authorities=”com.ltree.expenses.expenses”
android:name=”.data.ExpensesProvider”
android:exported=”false”>
</provider>
[/sourcecode]

or if it really needs to be exported, specify a required permission:
[sourcecode lang=”xml” highlight=”3″]
<provider android:authorities=”com.ltree.expenses.expenses”
android:name=”.data.ExpensesProvider”
android:permission=”com.ltree.expenses.PERM_CONTENT_PROVIDER”>
</provider>
[/sourcecode]

The output below shows the results of attempting to query the content provider in each case.

android:exported=”false”


java.lang.SecurityException: Permission Denial:
opening provider com.ltree.expenses.data.ExpensesProvider
from ... that is not exported from uid 10050

android:permission=”com.ltree.expenses.PERM_CONTENT_PROVIDER”


java.lang.SecurityException: Permission Denial:
opening provider com.ltree.expenses.data.ExpensesProvider ...
requires com.ltree.expenses.PERM_CONTENT_PROVIDER
or com.ltree.expenses.PERM_CONTENT_PROVIDER

As you can see, protecting content providers is important. A tool like Mercury makes it very easy to discover any flaws and the solution is simple.

Mike Way

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.