| AID | 16 |
|---|---|
| MSTG-ID | MSTG-STORAGE‑6 |
| Audit | No sensitive data is exposed via IPC mechanisms. |
| Guidance | Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms As part of Android's IPC mechanisms, content providers allow an app's stored data to be accessed and modified by other apps. If not properly configured, these mechanisms may leak sensitive data. Static Analysis Determine whether the value of the export tag (android:exported) is -- true -- . Even if it is not, the tag will be set to -- true -- automatically if an has been defined for the tag. If the content is meant to be accessed only by the app itself, set android:exported to -- false -- . If not, set the flag to -- true -- and define proper read/write permissions. Inspect the source code to understand how the content provider is meant to be used. Search for the following keywords: android.content.ContentProvider To avoid SQL injection attacks within the app, use parameterized query methods, such as query, update, and delete. Be sure to properly sanitize all method arguments; for example, the selection argument could lead to SQL injection if it is made up of concatenated user input. If you expose a content provider, determine whether parameterized query methods (query, update, and delete) are being used to prevent SQL injection. If so, make sure all their arguments are properly sanitized. We will use the vulnerable password manager app Sieve as an example of a vulnerable content provider. Identify all defined elements: As shown in the AndroidManifest.xml above, the application exports two content providers. Note that one path ( -- /Keys -- ) is protected by read and write permissions. Inspect the query function in the DBContentProvider.java file to determine whether any sensitive information is being leaked: public Cursor query(final Uri uri, final String[] array, final String s, final String[] array2, final String s2) { Here we see that there are actually two paths, -- /Keys -- and -- /Passwords -- , and the latter is not being protected in the manifest and is therefore vulnerable. When accessing a URI, the query statement returns all passwords and the path Passwords/. We will address this in the -- Dynamic Analysis -- section and show the exact URI that is required. To dynamically analyze an application's content providers, first enumerate the attack surface: pass the app's package name to the Drozer module app.provider.info: dz> run app.provider.info -a com.mwr.example.sieve In this example, two content providers are exported. Both can be accessed without permission, except for the /Keys path in the DBContentProvider. With this information, you can reconstruct part of the content URIs to access the DBContentProvider (the URIs begin with content://). To identify content provider URIs within the application, use Drozer's scanner.provider.finduris module. This module guesses paths and determines accessible content URIs in several ways: dz> run scanner.provider.finduris -a com.mwr.example.sieve Once you have a list of accessible content providers, try to extract data from each provider with the app.provider.query module: dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical You can also use Drozer to insert, update, and delete records from a vulnerable content provider: Insert record dz> run app.provider.insert content://com.vulnerable.im/messages Update record dz> run app.provider.update content://settings/secure Delete record dz> run app.provider.delete content://settings/secure SQL Injection in Content Providers dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection -- ' -- dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection -- ' -- If an application is vulnerable to SQL Injection, it will return a verbose error message. SQL Injection on Android may be used to modify or query data from the vulnerable content provider. In the following example, the Drozer module app.provider.query is used to list all the database tables: dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection -- * SQL Injection may also be used to retrieve data from otherwise protected tables: dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection -- * FROM Key;-- -- You can automate these steps with the scanner.provider.injection module, which automatically finds vulnerable content providers within an app: dz> run scanner.provider.injection -a com.mwr.example.sieve File System Based Content Providers dz> run app.provider.download content://com.vulnerable.app.FileProvider/../../../../../../../../data/data/com.vulnerable.app/database.db /home/user/database.db Use the scanner.provider.traversal module to automate the process of finding content providers that are susceptible to directory traversal: dz> run scanner.provider.traversal -a com.mwr.example.sieve Note that adb can also be used to query content providers: $ adb shell content query --uri content://com.owaspomtg.vulnapp.provider.CredentialProvider/credentials |
| Category | Data Storage and Privacy |
| Function | Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms (MSTG-STORAGE-6) |
| Reference | github.com |
Google Android Mobile Applications Audit
Review this entry