Theft of Arbitrary files from LocalStorage
The
ChooserActivity
is exported and has defined several MIME types in the AndroidManifest.xml
file.<activity
android:name=".ChooserActivity"
android:excludeFromRecents="true">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.SEND" />
<category android:name="android.intent.category.DEFAULT" />
<data android:mimeType="application/*" />
<data android:mimeType="audio/*" />
<data android:mimeType="image/*" />
<data android:mimeType="text/*" />
<data android:mimeType="video/*" />
</intent-filter>
<meta-data
android:name="android.service.chooser.chooser_target_service"
android:value=".ConversationChooserTargetService" />
</activity>
The
ChooserActivity
contains the following code. The code takes the URI of the desired file via android.intent.extra.STREAM
.var uri = intent.getParcelableExtra<Parcelable>("android.intent.extra.STREAM") as Uri
uri = Uri.fromFile(File(uri.toString()))
makeTempCopy(uri, this, getFilename(uri))
The
ChooserActivity
is cloning the file which we got from android.intent.extra.STREAM
in our sdcard
within the folder named insecureapp
.private fun makeTempCopy(fileUri: Uri, context: Context, original_filename: String?): Uri? {
try {
val out = Uri.fromFile(
File(
Environment.getExternalStorageDirectory().absolutePath + File.separator + "insecureapp",
original_filename
)
)
val inputStream: InputStream? = contentResolver.openInputStream(fileUri)
val outputStream: OutputStream? = contentResolver.openOutputStream(out)
val buffer = ByteArray(8192)
while (true) {
val len: Int? = inputStream?.read(buffer)
if (len != -1) {
len?.let { outputStream?.write(buffer, 0, it) }
}
}
return out
} catch (e: Exception) {
return null
}
}
This flaw allows any malicious third-party app on the device to steal any file from the InsecureShop app's localStorage and send it to sdcard (which is world readable/writeable).