Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Insecure Content Provider

The Content Provider com.insecureshop.contentProvider.InsecureShopProvider is exported due to the presence of flag android:exported="true".

<provider android:name="com.insecureshop.contentProvider.InsecureShopProvider" android:readPermission="com.insecureshop.permission.READ" android:exported="true" android:authorities="com.insecureshop.provider"/>

The content provider com.insecureshop.contentProvider.InsecureShopProvider contains the following code:

public boolean onCreate() {
        android.content.UriMatcher uriMatcher2 = new android.content.UriMatcher(-1);
        uriMatcher = uriMatcher2;
        if (uriMatcher2 == null) {
            return true;
        }
        uriMatcher2.addURI("com.insecureshop.provider", "insecure", 100);
        return true;
    }

    public android.database.Cursor query(android.net.Uri uri, java.lang.String[] projection, java.lang.String selection, java.lang.String[] selectionArgs, java.lang.String sortOrder) {
        kotlin.jvm.internal.Intrinsics.checkParameterIsNotNull(uri, "uri");
        android.content.UriMatcher uriMatcher2 = uriMatcher;
        if (uriMatcher2 == null || uriMatcher2.match(uri) != 100) {
            return null;
        }
        android.database.MatrixCursor cursor = new android.database.MatrixCursor(new java.lang.String[]{"username", "password"});
        java.lang.String[] strArr = new java.lang.String[2];
        java.lang.String username = com.insecureshop.util.Prefs.INSTANCE.getUsername();
        if (username == null) {
            kotlin.jvm.internal.Intrinsics.throwNpe();
        }
        strArr[0] = username;
        java.lang.String password = com.insecureshop.util.Prefs.INSTANCE.getPassword();
        if (password == null) {
            kotlin.jvm.internal.Intrinsics.throwNpe();
        }
        strArr[1] = password;
        cursor.addRow(strArr);
        return cursor;
    }

If the content provider matches the URI insecure, then it allows us to access username and password of the logged-in user.

Exploiting this is not really straightforward. You need to create an android app as it cannot be exploited using adb or drozer. The reason is that the Content provider can only be accessed with the defined permission "android:readPermission". You need to add this permission in Attacker's "AndroidManifest.xml" file in order to access the Content Provider.

PreviousInsecure Implementation of SetResult in exported ActivityNextLack of SSL Certificate Validation

Last updated 3 years ago

Was this helpful?