Insecure use of FilePaths in FileProvider
The file
provider_paths.xml contains the following data:<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
<root-path name="root" path="/"/>
</paths>
You can use the Nuclei template
provider-path.yaml on a decompiled Android app to identify this misconfiguration.echo /output_apktool/ | nuclei -t /file/android/provider-path.yaml
Observe the provider has the root folder configuration that allows us to access home directory (which also includes
/data and /sdcard directory).This misconfiguration can be chained with other vulnerabilities like
Intent Redirection to steal sensitive data or Overwriting arbitrary files to achieve arbitrary code execution by Overwriting native libraries.