MASTG-TEST-0356: Runtime Verification of Unauthorized Database Access through Content Providers
Overview¶
This test is the dynamic counterpart to References to Unauthorized Database Access through Content Providers.
Steps¶
- Use Installing Apps to install the app.
- Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.
- Use Interacting with Android ContentProviders to query the app's exported content providers.
Observation¶
The output should contain the content of the database that is available through the content provider.
Evaluation¶
The test case fails if sensitive data can be accessed through content providers.
Best Practices¶
MASTG-BEST-0049: Restrict and Validate Access to Exported Content Providers
Demos¶
MASTG-DEMO-0121: Unauthorized Access to Database Records through Exported Content Provider