Skip to content

MASTG-TECH-0148: Interacting with Android ContentProviders

See Android ContentProvider for an overview of Android ContentProviders, including URI structure, access control, and query handling.

Using adb

You can use adb to interact with ContentProviders on a device or emulator via the content command.

Query rows

adb shell content query --uri content://org.owasp.mastestapp.provider/students
adb shell content query --uri content://org.owasp.mastestapp.provider/students --where "name='Bob'"

Insert a row

adb shell content insert \
    --uri content://org.owasp.mastestapp.provider/students \
    --bind name:s:Eve

Update rows

adb shell content update \
    --uri content://org.owasp.mastestapp.provider/students \
    --where "id=1" \
    --bind name:s:"Alice Jr"

Delete rows

adb shell content delete \
    --uri content://org.owasp.mastestapp.provider/students \
    --where "id=3"

Notes

  • The --where argument maps directly to the selection parameter in ContentProvider.query().
  • The command executes in the context of the shell user, so access depends on whether the provider is exported and what permissions are enforced.
  • Quoting and escaping are important when passing strings or crafting test inputs, especially when using SQL operators.

Demos

MASTG-DEMO-0102: SQL Injection via URI Path and Selection in Android Content Providers