Theft of Arbitrary files from LocalStorage

The ChooserActivity is exported and has defined several MIME types in the AndroidManifest.xml file.

    <action android:name="android.intent.action.VIEW" />

    <category android:name="android.intent.category.DEFAULT" />
    <action android:name="android.intent.action.SEND" />

    <category android:name="android.intent.category.DEFAULT" />

    <data android:mimeType="application/*" />
    <data android:mimeType="audio/*" />
    <data android:mimeType="image/*" />
    <data android:mimeType="text/*" />
    <data android:mimeType="video/*" />

    android:value=".ConversationChooserTargetService" />

The ChooserActivity contains the following code. The code takes the URI of the desired file via android.intent.extra.STREAM.

var uri = intent.getParcelableExtra<Parcelable>("android.intent.extra.STREAM") as Uri
        uri = Uri.fromFile(File(uri.toString()))
        makeTempCopy(uri, this, getFilename(uri))

The ChooserActivity is cloning the file which we got from android.intent.extra.STREAM in our sdcard within the folder named insecureapp .

private fun makeTempCopy(fileUri: Uri, context: Context, original_filename: String?): Uri? {
        try {
            val out = Uri.fromFile(
                    Environment.getExternalStorageDirectory().absolutePath + File.separator + "insecureapp",
            val inputStream: InputStream? = contentResolver.openInputStream(fileUri)
            val outputStream: OutputStream? = contentResolver.openOutputStream(out)
            val buffer = ByteArray(8192)
            while (true) {
                val len: Int? = inputStream?.read(buffer)
                if (len != -1) {
                    len?.let { outputStream?.write(buffer, 0, it) }
            return out
        } catch (e: Exception) {
            return null

This flaw allows any malicious third-party app on the device to steal any file from the InsecureShop app's localStorage and send it to sdcard (which is world readable/writeable).

Last updated