Theft of Arbitrary files from LocalStorage

The ChooserActivity is exported and has defined several MIME types in the AndroidManifest.xml file.

<activity
    android:name=".ChooserActivity"
    android:excludeFromRecents="true">
    <intent-filter>
    <action android:name="android.intent.action.VIEW" />

    <category android:name="android.intent.category.DEFAULT" />
    </intent-filter>
    <intent-filter>
    <action android:name="android.intent.action.SEND" />

    <category android:name="android.intent.category.DEFAULT" />

    <data android:mimeType="application/*" />
    <data android:mimeType="audio/*" />
    <data android:mimeType="image/*" />
    <data android:mimeType="text/*" />
    <data android:mimeType="video/*" />
    </intent-filter>

    <meta-data
    android:name="android.service.chooser.chooser_target_service"
    android:value=".ConversationChooserTargetService" />
</activity>

The ChooserActivity contains the following code. The code takes the URI of the desired file via android.intent.extra.STREAM.

var uri = intent.getParcelableExtra<Parcelable>("android.intent.extra.STREAM") as Uri
        uri = Uri.fromFile(File(uri.toString()))
        makeTempCopy(uri, this, getFilename(uri))

The ChooserActivity is cloning the file which we got from android.intent.extra.STREAM in our sdcard within the folder named insecureapp .

private fun makeTempCopy(fileUri: Uri, context: Context, original_filename: String?): Uri? {
        try {
            val out = Uri.fromFile(
                File(
                    Environment.getExternalStorageDirectory().absolutePath + File.separator + "insecureapp",
                    original_filename
                )
            )
            val inputStream: InputStream? = contentResolver.openInputStream(fileUri)
            val outputStream: OutputStream? = contentResolver.openOutputStream(out)
            val buffer = ByteArray(8192)
            while (true) {
                val len: Int? = inputStream?.read(buffer)
                if (len != -1) {
                    len?.let { outputStream?.write(buffer, 0, it) }
                }
            }
            return out
        } catch (e: Exception) {
            return null
        }
    }

This flaw allows any malicious third-party app on the device to steal any file from the InsecureShop app's localStorage and send it to sdcard (which is world readable/writeable).

PreviousUnprotected Data URIsNextUsing Components with Known Vulnerabilities

Last updated