Skip to content

MASTG-TECH-0163: Enumerating Content Providers

You can enumerate the content providers an app declares, and determine which of them are exported, by inspecting the app's AndroidManifest.xml or by querying the running system. See Android ContentProvider for background on content providers, URI structure, and access control. Once you've identified a provider and its authority, use Interacting with Android ContentProviders to query, insert, update, or delete data through it.

Prefer static analysis of the manifest first, as it doesn't require a device and reflects exactly what the app declares. Use the device- and tool-based options when you also need to confirm runtime behavior.

Using the AndroidManifest

Extract and decode the AndroidManifest.xml as described in Obtaining Information from the AndroidManifest, then analyze it as described in Analyzing the AndroidManifest. Look for <provider> elements and record their android:authorities values, which form the content://<authority> part of the provider's URIs.

A content provider is exported, and therefore reachable by other apps, when either of the following is true:

  • It sets android:exported="true".
  • On apps targeting API level 16 or lower, android:exported is not set (the historical default was true).

Note the access-control attributes: android:permission, android:readPermission, android:writePermission, and android:grantUriPermissions.

For example, with the manifest extracted to standard XML, you can list provider declarations with:

xmlstarlet sel -t -m "//provider" -v "@android:name" -o " authorities=" -v "@android:authorities" -o " exported=" -v "@android:exported" -n AndroidManifest.xml

Using aapt2

aapt2 prints the components declared in the manifest, including providers, without decoding the full XML:

aapt2 d xmltree app.apk --file AndroidManifest.xml | grep -A4 "E: provider"

In the raw output, an exported provider has android:exported set to 0xffffffff (true).

Using adb

On a device or emulator with the app installed, you can list the providers a package registers with the package manager:

adb shell dumpsys package <package_name> | grep -i "Provider{"

To discover the URI paths a provider exposes, reverse engineer the provider class as described in Static Analysis on Android and look for the content:// URIs and UriMatcher patterns it handles (see Android ContentProvider). Then interact with the provider as described in Interacting with Android ContentProviders.

Using drozer

As a last resort, when manifest and adb inspection aren't sufficient, drozer can enumerate providers, surface their URIs, and probe them:

run app.provider.info -a <package_name>
run app.provider.finduri <package_name>