Skip to content

MASTG-TEST-0357: References to Oversharing of File-Based Content Providers

Overview

If the app exports an Android content provider without enforcing access restrictions, external callers may open private files through content:// URIs. This test checks whether exported providers expose sensitive stored data to callers that don't hold the required permissions.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Verify Usage of File-Based Content Providers to identify exported file-based content providers and inspect their path configurations.
  3. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of exported file-based content providers with their path configurations, and a list of code locations where provider-backed file access occurs.

Evaluation

The test case fails if the app exports a FileProvider and if the provider's path configuration allows access outside the intended shared directory (for example, via <root-path>, path="/", path=".", or path="").

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code to determine whether the exposure is security-relevant:

  • Determine whether FileProvider.getUriForFile() is called with attacker-controlled input (for example, values derived from URI query parameters or user input).
  • Determine whether the provider enforces appropriate access control, by using in the Android Manifest android:permission and an adequate protection level like dangerous or signature.

Best Practices

MASTG-BEST-0049: Restrict and Validate Access to Exported Content Providers

Demos

MASTG-DEMO-0123: Exfiltration of Private Files via FileProvider URI Grant Oversharing MASTG-DEMO-0122: Oversharing via FileProvider with Unrestricted Path Configuration