Insecure use of FilePaths in FileProvider

The file provider_paths.xml contains the following data:

<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="">
    <root-path name="root" path="/"/>

You can use the Nuclei template provider-path.yaml on a decompiled Android app to identify this misconfiguration.

echo /output_apktool/ | nuclei -t /file/android/provider-path.yaml

Observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory).

This misconfiguration can be chained with other vulnerabilities like Intent Redirection to steal sensitive data or Overwriting arbitrary files to achieve arbitrary code execution by Overwriting native libraries.

Last updated