Android Hacking-Exploiting Content Providers

Mobile applications have become a staple in our lives as they make everyday tasks easier, from checking our email to social media and online shopping. However, we often take for granted the security of the apps we download and use without thinking about the potential risks. Developed apps are being exposed to security vulnerabilities at an alarming rate and malicious mobile code is becoming more prevalent. It’s important to remember that even if your mobile device is secure, security vulnerabilities in installed applications can still affect your device.

Hello again! I hope you took the time to read the previous blogs where we discussed Intent Attack Vectors & Their Exploitation. This blog will go over Content Providers and how you can exploit them via IPC Misconfiguration.

Content Provihttps://payatu.com/blog/amit/Penetrate_the_protected_component_in_android_Part-0der

Content Provider Introduction

In Android, content providers store data applications on one page and make them available for different applications whenever needed. We use content providers to allow other applications to access data with specific requirements.

  • A content provider component supplies data from one Application to others on request.
  • Such requests are handled by the methods of the Content Resolver class.
  • A content provider can use different ways to store its data, and the data can be stored in a database, in files, or even over a netw

    Content Provider working

Content Provider Attributes

Content Provider Attributes

authorities: –

The authority is used to interact with a particular content provider, which means it must be unique. That’s why it is a [good practice] (http://developer.android.com/guide/topics/providers/content-provider-creating.html#ContentURI) to declare it as your domain name (in reverse) plus the name of the package containing the provider, that way is less likely that another developer creates an app with a content provider declaring the same authority.

android:grantUriPermission: –

The “grant Uri permissions” feature allows you to have a ContentProvider that is normally not accessible by third parties, yet selectively allow access to individual Uri values to individual third-party apps for a short period of time.

Ways of exploiting Content Providers:

  • Exported Content Provider
  • Access To Protected Content-Provider Using Implicit Intent
  • Access to Protected Content-provider using Intent Interception
  • Access to Protected Content-provider using Intent Interception-2

CASE-1

Exported Content-Provider

As you already know, if any component is exported, then other Applications can access that exported component.

Case-2

Access To Protected Content-Provider Using Implicit Intent

A Protected Content-Provider means that the content provider is exported as false and no third-party app can access that content provider.

If an application uses implicit Intent without permission, we can access protected content providers.

  • Let’s take a critical example:

    Access To Protected Content-Provider Using Implicit Intent

Look at the ProxyActivity exported activity code.

Access To Protected Content-Provider Using Implicit Intent

Implicit Intent is used in proxy activity

Let’s attack the Protected Content provider with our app.

Exploit

**MainActivity Code **

Access To Protected Content-Provider Using Implicit Intent

Let’s illustrate the steps given in the above figure

  1. Creating an Extra intent Object
  2. Setting class name to Our Exploit apk Activity MainActivity2
  3. Setting the data _ here, we are setting the Content Provider Uri we want to access.
  4. Creating another Intent Object with the named Intent
  5. setting class name to exported activity MainActivity.
  6. Putting extra as object name extra as we created above
  7. Start the activity with that object.

**MainActivity2 **

Access To Protected Content-Provider Using Implicit Intent

CASE-3

Access to Protected Content-provider using Intent Interception

If you don’t know about Intent Interception, then please read first [[Intent Interception-2]]

❗ there are two methods used for initialling Intent

1
2    Intent intent1 = new Intent ();  
3
4             and            
5
6  Intent intent = getIntent();   
7

Both can give the same result, but in the context of an ActivitygetIntent() will return the Intent originally sent to the Activity. And new Intent () Initialize the intent object. It does not return anything and is used to start another activity.

  1. if Intent intent1 = new Intent (); “then we can only intercept the Intent; we can’t access any other component because, in this case, the Application is not receiving attacker intent data.
  2. if Intent intent = getIntent(); then we can intercept the intent and access protected content provider. Because getIntent returns the Intent originally sent to the Activity.

Let’s understand with an example.

Application code

AndroidMainfest.xml

Access To Protected Content-Provider Using Intent Interception

As you see in the above figure, the content provider is set to exported false, which means we cannot access it directly.

android:grantUriPermissions="true" indicates that your application can use FLAG_GRANT_READ_URI_PERMISSION and FLAG_GRANT_WRITE_URI_PERMISSION for any Uri served by that ContentProvider

Checking exported activity resultset code.

**resultset Activity **

Access To Protected Content-Provider Using Intent Interception

That’s it. We can steal content provider’s data.

An attacker sets data to the Intent in the exploit application, and when the exploit app opens, it sends the intent data to the resultset Activity. Vulnerable applications get the Intent by “getinent() “. and send that to setResult, which is processed by the exploit application.

Exploit Application Code

Access To Protected Content-Provider Using Intent Interception

 1
 2       Intent intent = new Intent();    
 3
 4       intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);     
 5
 6      intent.setData(Uri.parse("content://com.sample.content_provider2_provider"));    
 7
 8intent.setClassName("com.sample.content_provider2","com.sample.content_provider2.resultset");    
 9
10       startActivityForResult(intent, 1);    
11
12   }    
13
14   protected void onActivityResult(int request code, int resultCode, Intent data) {    
15
16       super.onActivityResult(request code, resultCode, data);    
17
18       // check if the request code is the same as what is passed here; it is 2    
19
20 Cursor cursor = getContentResolver().query(data.getData(), null, null, null, null);    
21
22       if(cursor.moveToFirst()) {    
23
24           StringBuilder strBuild = new StringBuilder();    
25
26           while (!cursor.isAfterLast()) {    
27
28               @SuppressLint("Range") StringBuilder append = strBuild.append("\n" + cursor.getString(cursor.getColumnIndex(cursor.getColumnName(0))) + "-" + cursor.getString(cursor.getColumnIndex(cursor.getColumnName(1))));    
29
30               cursor.moveToNext();    
31
32           }    
33
34           Log.d("data1", String.valueOf(strBuild) );    
35
36    
37
38       }    
39
40   }  
41
42  
43
44  
45

CASE 4

Access to Protected Content-provider using Intent Interception-2

A vulnerable app can also receive a Uri from the attacker, create an implicit Intent, and supply it with an unsafe flag.

Let’s Understand with an example.

Vulnerable App code

**AndroidMainfest.xml **

Access to Protected Content-provider using Intent Interception-2

**MainActivity **

Access to Protected Content-provider using Intent Interception-2

An attacker can send the Intent to the vulnerable Application with Uri and obtain access to the content provider’s data by intercepting the Intent.

Access to Protected Content-provider using Intent Interception-2

Exploit Application

AndroidMainfest.xml

Access to Protected Content-provider using Intent Interception

MainActivity

Access to Protected Content-provider using Intent Interception-2

MainActivity2

Access to Protected Content-provider using Intent Interception-2

if the activity is exported and getIntent should be required to exploit this

Let’s understand the working of exploit with a diagram.

Content Provider Exploitation

If the implicit Intent like startactivityforresult is used in an activity with getintent(). If that activity is exported, an attacker can access the exported component.

Conclusion

We’ve covered the Android Application Main Component Content Provider Exploitation with the different Use-cases and hope you like this post 😉 and let us know if you have in mind any other Exploitation use case that I did not mention in this post

References

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

CTI Report
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in your inbox

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Mobile Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Web App Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by