Content providers often hold a lot of valuable information, such as users' phone numbers or Twitter passwords, and you may want to find out whether or not it's possible for malicious attackers to get their hands on this information. The best way to find out whether a content provider is vulnerable to attack is by trying to attack it yourself.
For you to be able to attack a content provider, as with many application-level attacks, it usually comes down to sending a malicious intent to an application. When it comes to content providers, your intent will be honed towards its target by the URI string it contains, since this URI identifies which content provider should handle the intent.
So then there's just one problem—how do we find out which URIs to use? One simple solution would be to guess them, but that could take ages! drozer has a module called app.provider.info that solves this problem for you.
This recipe details a few drozer modules that you can use to find content providers that may be vulnerable to attack.
To find some content providers that will most likely be vulnerable to attack, you will need to do the following:
- Finding content providers that require no permissions is really easy with drozer; all you need to do is execute the following command from your drozer console:
dz> run app.provider.info –-permission nullThe preceding command lists all the content providers that don't require any read/write permissions.
- Once you've found an appropriate content provider, you may want to enumerate the URIs it has authority over; you can do this using the following command:
dz> run app.provider.finduri [package]In the preceding command,
[package]is the full name of the package you want to extract information about. - The following command is an example you can try out:
dz> run app.provider.finduri com.android.providers.downloads
So what you've just done is find a possible entry point into the data that a given package saves in its content provider. The next recipe discusses how to extract this data.
The .finduri module is pretty straightforward; it actually uses a very "sneaky" method to enumerate the possible content URIs. What it basically does is open the DEX file for the application and scan the unparsed file for any string literals resembling the valid content URI-format strings. The reason this is so effective is that application developers usually save these as static strings in the source of the application. The following is the actual source code for the Python script. It is extracted from https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/common/provider.py.
def findContentUris(self, package):
self.deleteFile("/".join([self.cacheDir(), "classes.dex"]))
content_uris = []
for path in self.packageManager().getSourcePaths(package):
// This is where the script requests the application path from the
// package manager, which will determine where the actual .apk file
// is stored.
strings = []
if ".apk" in path:
dex_file = self.extractFromZip("classes.dex", path,self.cacheDir())
// In this line you can see the script extract the "classes.dex"
// file from the .apk file
if dex_file != None:
strings = self.getStrings(dex_file.getAbsolutePath())
dex_file.delete()
# look for an odex file too, because some system packages do not
# list these in sourceDir
strings += self.getStrings(path.replace(".apk",".odex"))
elif (".odex" in path):
strings = self.getStrings(path)
content_uris.append((path, filter(lambda s: ("CONTENT://"in s.upper()) and ("CONTENT://" != s.upper()), strings)))
// In this you can see the script actually search for the literal //"CONTENT://" or "content://" in the extracted .dex file.
return content_uris- drozer Master repository – Provider.py (https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/app/provider.py)
- drozer Master – Common/Provider.py (https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/common/provider.py)
- Android Developer – URI permissions (http://developer.android.com/guide/topics/security/permissions.html#uri)
- CVE-2013-231 – MovatwiTouch content provider vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2318&cid=3)
- Marakana – Android content provider tutorial (http://marakana.com/s/post/1375/android_content_provider_tutorial)