MASTG-TEST-0357: References to Oversharing of File-Based Content Providers

Overview

If the app exports an Android content provider without enforcing access restrictions, external callers may open private files through content:// URIs. This test checks whether exported providers expose sensitive stored data to callers that don't hold the required permissions.

Steps

1. Use Reverse Engineering Android Apps to reverse engineer the app.
2. Use Static Analysis on Android and Verify Usage of File-Based Content Providers to confirm which provider classes expose file access, and whether they validate the caller before returning data.

Observation

The output should contain each provider's authorities, the access control configured for each provider, and the result of each external access attempt.

Evaluation

The test case fails if an external caller can open provider-backed private files without the required permissions.

Best Practices

MASTG-BEST-0049: Restrict and Validate Access to Exported Content Providers

Demos

MASTG-DEMO-0122: Oversharing via FileProvider with Unrestricted Path Configuration