Insecure use of FilePaths in FileProvider

The file provider_paths.xml contains the following data:
<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="">
<root-path name="root" path="/"/>
You can use the Nuclei template provider-path.yaml on a decompiled Android app to identify this misconfiguration.
echo /output_apktool/ | nuclei -t /file/android/provider-path.yaml
Observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory).
This misconfiguration can be chained with other vulnerabilities like Intent Redirection to steal sensitive data or Overwriting arbitrary files to achieve arbitrary code execution by Overwriting native libraries.