Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Android Apps
Security
Shivasurya S
Android
Architecture
App Space Isolation
Platform & User Apps
Java & Kotlin API ( Additionally Native )
APK and system bin...
Attack Surface &
Origin
1. Malicious App
2. Web links with Native Intents
3. Instant Apps
4. WebView API
And even more
Tools 1. Dex2Jar
2. EnJarify from Google
3. Apktool ( Recompile )
4. ADB Commands
Basic
Components
1. Activity
2. Provider
3. Service
4. BroadcastReceiver
Magic of Manifest - AndroidManifest.xml
1. Provides crystal clear exported components
2. Entry point to any component with...
Rule #1
Exported=”true”
Grab the components which has
exported=”true” attribute from the
Manifest
Rule #2
Permission
Check
Chain with the above Rule #1 and check
for permission check
● Signature
● Normal
● Dangerous
● Sy...
Permission example
Rule #3
Intent-filter
actions
Chain with the above Rule #1 & 2 and
check for permission check
● Considered as exported=”tr...
Why Provider
Component ?
1. Provider Exploits
2. Identifying security Impact
Provider Component
1. Provides Data Interface between Apps
2. Returns Cursors & File Objects
3. Whatsapp <-> Contacts Appl...
Content Provider Basics
Provider - Vulnerable Code
https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b
1999262
Provider - Vector
https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b
1999262
content:...
Provider - Fixed Code
https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b
1999262
Credits : BagiPro ( Hackerone )
1. GrantURIPermission Concept - AndroidManifest
2. Chaining with Open Redirect via Intent
...
Open Redirect
GrantURIPermission - Code
GrantURIPermission - Vector
1. Access all C-R-U-D queries in the provider
2. Direct impact on application sqlite database
3. Check for all tables and ...
1. Providers without exported attribute are by open by default in API <
16
2. Apps that are compiled using <= 16 SDK witho...
exported=”true”
Exploit
Before submitting Bug
1. If the provider doesn’t returns data even though the component is
Exported ?
2. What type of data...
Questions!
Shivasurya S
Zoho Corp.
Upcoming SlideShare
Loading in …5
×

Android app security - 2019

155 views

Published on

Android App vulnerabilities for Provider Component

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Android app security - 2019

  1. 1. Android Apps Security Shivasurya S
  2. 2. Android Architecture App Space Isolation Platform & User Apps Java & Kotlin API ( Additionally Native ) APK and system binary ( Normal Linux )
  3. 3. Attack Surface & Origin 1. Malicious App 2. Web links with Native Intents 3. Instant Apps 4. WebView API And even more
  4. 4. Tools 1. Dex2Jar 2. EnJarify from Google 3. Apktool ( Recompile ) 4. ADB Commands
  5. 5. Basic Components 1. Activity 2. Provider 3. Service 4. BroadcastReceiver
  6. 6. Magic of Manifest - AndroidManifest.xml 1. Provides crystal clear exported components 2. Entry point to any component with help of Intent filters 3. Network configurations 4. Permission model & Custom permissions
  7. 7. Rule #1 Exported=”true” Grab the components which has exported=”true” attribute from the Manifest
  8. 8. Rule #2 Permission Check Chain with the above Rule #1 and check for permission check ● Signature ● Normal ● Dangerous ● SystemSignature
  9. 9. Permission example
  10. 10. Rule #3 Intent-filter actions Chain with the above Rule #1 & 2 and check for permission check ● Considered as exported=”true” ● Contains Meta data for component action ● Filters data type, host, URI path check ● Fails if exported=”false”
  11. 11. Why Provider Component ? 1. Provider Exploits 2. Identifying security Impact
  12. 12. Provider Component 1. Provides Data Interface between Apps 2. Returns Cursors & File Objects 3. Whatsapp <-> Contacts Application 4. File Provider and Content Provider
  13. 13. Content Provider Basics
  14. 14. Provider - Vulnerable Code https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b 1999262
  15. 15. Provider - Vector https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b 1999262 content://MASKED_AUTHORITY/databases/history.db file:///data/data/VULNERABLE_APP_SPACE/database/history.db
  16. 16. Provider - Fixed Code https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b 1999262
  17. 17. Credits : BagiPro ( Hackerone ) 1. GrantURIPermission Concept - AndroidManifest 2. Chaining with Open Redirect via Intent 3. Compromising the Provider Android Open Redirect & grantURIPermissions
  18. 18. Open Redirect
  19. 19. GrantURIPermission - Code
  20. 20. GrantURIPermission - Vector
  21. 21. 1. Access all C-R-U-D queries in the provider 2. Direct impact on application sqlite database 3. Check for all tables and dump the database Exported Provider - Plain Vanilla bug 😊
  22. 22. 1. Providers without exported attribute are by open by default in API < 16 2. Apps that are compiled using <= 16 SDK without exported attribute is open in all API levels ( even above API level 17 ) Attention - Interesting Fact - Platform Feature/BUG
  23. 23. exported=”true”
  24. 24. Exploit
  25. 25. Before submitting Bug 1. If the provider doesn’t returns data even though the component is Exported ? 2. What type of data ? ( PII / public data / SD card data ) 3. Is Internal App space files are exposed ? 4. Is the provider is behind cryptographic function ( Not an Issue ) 5. Signature permission checks and UID check 6. No physical device access or Rooted Device case are accepted
  26. 26. Questions! Shivasurya S Zoho Corp.

×