AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 11 - Access Control Issues 3 - Content Provider Vulnerability


ACCESS CONTROL ISSUES 3 - CONTENT PROVIDER VULNERABILITY

- Layout for this exercise:





- Connecting from Santoku to Nexus 5 with ADB:




- Launching the application: 





- Let's see how the challenge 11 works. Clicking the tab:




- The user is prompted to create a PIN to protect private information stored on the application:




- Using the newly created PIN, access to some private notes is available: 







- The goal of this challenge is to bypass the access control provided by the PIN, being able to read the private notes from outside the application. 

- A content provider manages access to a central repository of data. A provider is part of an Android application, which often provides its own UI for working with the data. 

- However, a content provider is primarily intended to be used by other applications, which accesses the provider using a provider client object. In other words, content providers are the standard interface that connects data in one process with code running in another process. 

- Checking the source code for the activity AccessControl3Activity.java:











- Also, the source code of AccessControl3NotesActivity.java:











- In the same way, checking the AndroidManifest.xml, the content provider jakhar.aseem.diva.provider.notesprovider is detected. 

- One of its parameters is androd:exported="true", what makes it vulnerable to be accessed without permission. In order to make it secure, it should be put to either "false" or added a permission to access it:











- Using the finduri option by Drozer, the content provider is found:




- Running the query option by Drozer, the notes are available from Santoku, outside of the application:




- Also, adb shell content query can be used to access the notes: