안드로이드

exported=true 설정, ContentProvider

우와해커 2019. 2. 28. 11:19


OWASP- MSTG  내용


The first step is to look at AndroidManifest.xml to detect content providers exposed by the app. 

You can identify content providers by the <provider> element. Complete the following steps:


           Determine whether the value of the export tag is "true" (android:exported="true"). 

      Even if it is not, the tag will be set to "true" automatically if an <intent-filter> has been defined for the tag. 

      If the content is meant to be accessed only by the app itself, set android:exported to "false." 

      If not, set the flag to "true" and define proper read/write permissions.


           Determine whether the data is being protected by a permission tag (android:permission). 

      Permission tags limit exposure to other apps.


Determine whether the android:protectionLevel attribute has the value signature. This setting indicates that the data is intended to be accessed only by apps from the same enterprise (i.e., signed with the same key). To make the data accessible to other apps, apply a security policy with the <permission> element and set a proper android:protectionLevel. If you use android:permission, other applications must declare corresponding <uses-permission> elements in their manifests to interact with your content provider. You can use the android:grantUriPermissions attribute to grant more specific access to other apps; you can limit access with the <grant-uri-permission> element


Inspect the source code to understand how the content provider is meant to be used. Search for the following keywords:

             android.content.ContentProvider

             android.database.Cursor

             android.database.sqlite

             .query

             .update

             .delete


To avoid SQL injection attacks within the app, use parameterized query methods, such as queryupdate, and delete. Be sure to properly sanitize all method arguments; for example, the selection argument could lead to SQL injection if it is made up of concatenated user input.

If you expose a content provider, determine whether parameterized query methods (queryupdate, and delete) are being used to prevent SQL injection. If so, make sure all their arguments are properly sanitized.

We will use the vulnerable password manager app Sieve as an example of a vulnerable content provider.