Learning objectives
Learn the Android building block – Content Provider for data sharing between apps
Learn the vulnerability of Content Provider
I. Basic of Content Provider
Content providers is one of Android’s core components that enables you to access data of other applications where data is stored in databases or flat files, or on a remote server. Content providers let you centralize content in one place and have many different applications access it as needed. Content providers support the four basic operations, normally called CRUD-operations. With content providers those objects simply represent data – most often a record (tuple) of a database – but they could also be other type data such as a photo on your SD-card or a video on the web. In most cases this data is stored in an SQlite database.
SQLite databases can only be used by the app that created it. You create a content provider in the app that creates the database. However you can choose to share the database with other apps by content provider to manage access to this shared database. You’ll need a content provider if you want to allow other apps to access your database and if you want to perform custom search suggestions in your own app. Any app wanting to use the database must use a content resolver to do so. The Content Resolver communicates with the Content Provider
II. Vulnerability
One of the most common security vulnerabilities in Android is unprotected content providers. The URI of a content provider starts with “content://” . Any app which knows this URI can insert, update, delete, and query data from the database of the provider app. A content provider is only required if you need to share data between multiple applications. Ex., the contacts data is used by multiple applications and must be stored in a content provider. A hacker can Attack a vulnerable Content Providers via adb shell or malicious app to query. If you don't need to share data amongst multiple applications you can use a database directly via SQLiteDatabase because it opens a door for malware to hack the confidential data in DB. As application data is by default private, a content provider is a convenient to share you data with other application based on a CRUD methods interface which implements CRUD, e.g. query(), insert(), update(), delete(), getType() and onCreate(). A content provider must be declared in the manifest file and made available to other Android applications. To set the visibility of your content provider use the android:exported=false|true parameter in the declaration of your content provider in the AndroidManifest.xml file. It is good practice to always set the android:exported parameter to ensure correct behavior across Android versions. Unless you must share a Sqlite to many different apps, don’t provide content provider.
The following figure shows how a malware use content provider to access the data. You will have hands-on practice in the next lab activity.
Figure 1. Content provider
Content providers can also open a door to hacker’s SQL injection. Just like traditional SQL injection attacks. Content provider can also allow Path Traversal which allows an attacker to access the local file system.
Ref: http://resources.infosecinstitute.com/android-hacking-security-part-2-content-provider-leakage/