Challenges
Search…
Theft of Arbitrary files from LocalStorage
The ChooserActivity is exported and has defined several MIME types in the AndroidManifest.xml file.
1
<activity
2
android:name=".ChooserActivity"
3
android:excludeFromRecents="true">
4
<intent-filter>
5
<action android:name="android.intent.action.VIEW" />
6
7
<category android:name="android.intent.category.DEFAULT" />
8
</intent-filter>
9
<intent-filter>
10
<action android:name="android.intent.action.SEND" />
11
12
<category android:name="android.intent.category.DEFAULT" />
13
14
<data android:mimeType="application/*" />
15
<data android:mimeType="audio/*" />
16
<data android:mimeType="image/*" />
17
<data android:mimeType="text/*" />
18
<data android:mimeType="video/*" />
19
</intent-filter>
20
21
<meta-data
22
android:name="android.service.chooser.chooser_target_service"
23
android:value=".ConversationChooserTargetService" />
24
</activity>
25
Copied!
The ChooserActivity contains the following code. The code takes the URI of the desired file via android.intent.extra.STREAM.
1
var uri = intent.getParcelableExtra<Parcelable>("android.intent.extra.STREAM") as Uri
2
uri = Uri.fromFile(File(uri.toString()))
3
makeTempCopy(uri, this, getFilename(uri))
Copied!
The ChooserActivity is cloning the file which we got from android.intent.extra.STREAM in our sdcard within the folder named insecureapp .
1
private fun makeTempCopy(fileUri: Uri, context: Context, original_filename: String?): Uri? {
2
try {
3
val out = Uri.fromFile(
4
File(
5
Environment.getExternalStorageDirectory().absolutePath + File.separator + "insecureapp",
6
original_filename
7
)
8
)
9
val inputStream: InputStream? = contentResolver.openInputStream(fileUri)
10
val outputStream: OutputStream? = contentResolver.openOutputStream(out)
11
val buffer = ByteArray(8192)
12
while (true) {
13
val len: Int? = inputStream?.read(buffer)
14
if (len != -1) {
15
len?.let { outputStream?.write(buffer, 0, it) }
16
}
17
}
18
return out
19
} catch (e: Exception) {
20
return null
21
}
22
}
Copied!
This flaw allows any malicious third-party app on the device to steal any file from the InsecureShop app's localStorage and send it to sdcard (which is world readable/writeable).
Last modified 5mo ago
Copy link