Post-Lab Activities
Some best practices are available to prevent content provider leakage vulnerabilities. Based on Smartphone Security Association guidelines available at http://www.jssec.org/dl/android_securecoding_en.pdf
Check the presence of malicious inputs for SQL Injection attacks during interface implementation (sanitize parameters like projection, selection)
Check both protocol and repository represented by the supplied Uri to avoid accessing arbitrary Uris and handle exceptions
Set provider permissions in a conservative manner
<provider
android:exported="false“
</provider>
New lab task for learners:
Please implement update interface in the content provider and revise the code in malware so update gets called. This time you would exploit vulnerabilities by deleting the table through sql injection.
Find 3 sample android applications from the web or google store, which have content provider. Then identify if you find vulnerabilities there and if found, then show how to fix them.
References:
[1] https://developer.android.com/guide/topics/providers/content-providers.html