Insecure use of FilePaths in FileProvider
The file provider_paths.xml contains the following data:
<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="">
<root-path name="root" path="/"/>
You can use the Nuclei template provider-path.yaml on a decompiled Android app to identify this misconfiguration.
echo /output_apktool/ | nuclei -t /file/android/provider-path.yaml
Observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory).
This misconfiguration can be chained with other vulnerabilities like Intent Redirection to steal sensitive data or Overwriting arbitrary files to achieve arbitrary code execution by Overwriting native libraries.
Copy link