MASTG-TEST-0355: References to Unauthorized Database Access through Content Providers

Overview

This test checks whether the app exposes content providers that can be accessed by other apps without appropriate permission enforcement. Specifically, it verifies whether exported <provider> elements in the AndroidManifest.xml enforce access control via android:readPermission and android:writePermission (or the combined android:permission). If a content provider is exported (android:exported="true") without these permissions, any app on the device can query the underlying database to retrieve sensitive data such as user PII, account details, or internal app configurations.

The same applies when no protection level is configured and becomes automatically android:protectionLevel="normal", which is granting access automatically to any requesting app.

Steps

1. Use Reverse Engineering Android Apps to reverse engineer the app.
2. Use Static Analysis on Android to identify exported content providers and verify whether they enforce appropriate permissions and caller validation.

Observation

The output should contain a list of providers and their configuration.

Evaluation

The test case fails if one or more content providers are exported without enforcing read or write permissions, or if the enforced permissions do not adequately protect the sensitivity of the exposed data (e.g., sensitive data is protected by a permission that any app can obtain).

Best Practices

MASTG-BEST-0049: Restrict and Validate Access to Exported Content Providers

Demos

MASTG-DEMO-0120: Uses of Unauthorized Access to Exported Content Providers