From f9f0523914bab508fcc808dd279fc82ff1443f29 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:16:33 +0000 Subject: [PATCH 01/14] Initial plan From 4bc240505e6cddd41572c0cb0926b98002926356 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:18:28 +0000 Subject: [PATCH 02/14] Update MASWE-0064 content provider weakness entry Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 57 +++++++++++++++++-------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 9731a5b..c3208b7 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -7,24 +7,45 @@ profiles: [L1, L2] mappings: masvs-v1: [MSTG-STORAGE-6] masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-1] - cwe: [926] - + cwe: [20, 73, 926] + android-risks: + - https://developer.android.com/privacy-and-security/risks/content-resolver + - https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename refs: -- https://developer.android.com/topic/security/risks/content-resolver -- https://developer.android.com/reference/androidx/core/content/FileProvider -- https://developer.android.com/topic/security/risks/file-providers -- https://developer.android.com/privacy-and-security/security-tips#ContentProviders -draft: - description: Unintentionally exported content providers, unprotected content providers, - permission tags, protection level - topics: - - file-system based - - FileProvider (Android) - - database based - - exposed - - permission tags - - protection level -status: placeholder - +- https://developer.android.com/guide/topics/providers/content-provider-basics +- https://developer.android.com/privacy-and-security/risks/content-resolver +- https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename +status: new --- +## Overview + +Insecure content provider usage occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. + +Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. + +The weakness can appear in both provider implementations and client code. Providers may overexpose data through incorrect export settings or insufficient permission checks, while clients may treat provider-returned values as trusted even though they originate outside the app's trust domain. + +## Modes of Introduction + +- Developers configure a provider as exported, or with weak read/write permissions, when the data was intended only for internal app use. +- Developers rely only on manifest declarations and omit runtime validation of caller identity, URI patterns, or requested operations in provider methods. +- Developers consume data from external providers through `ContentResolver` APIs and trust returned columns, MIME types, or filenames without sanitization and canonicalization. +- Developers open file descriptors or create local files based on provider-supplied metadata without constraining paths and destinations to app-controlled locations. +- Third-party SDKs or cross-platform plugins add provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. + +## Impact + +- Unauthorized apps can read sensitive records or files exposed by a misconfigured provider. +- Unauthorized apps can modify or delete shared data, causing integrity loss and business logic manipulation. +- Malicious providers can supply crafted metadata or filenames that cause insecure file handling in the consuming app. +- Attackers can trigger overwrite or placement of files in unintended app-accessible locations when path handling is not constrained. +- Compromised provider trust boundaries can enable follow-on attacks such as privilege misuse, data exfiltration, or persistence of tampered content. + +## Mitigations + +- Keep providers non-exported by default, and only export when cross-app sharing is explicitly required. +- Protect exported providers with the narrowest feasible read and write permissions, and enforce additional runtime authorization checks. +- Validate and constrain every incoming URI, selection argument, and operation before processing provider requests. +- Treat all data returned by external providers as untrusted, and sanitize metadata such as display names, MIME types, and paths before use. +- Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. From 61cb429e4eaaf176d9c1f19804dd57725d34df45 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:19:01 +0000 Subject: [PATCH 03/14] Refine MASWE-0064 references and overview phrasing Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index c3208b7..0e3559c 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -13,14 +13,14 @@ mappings: - https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename refs: - https://developer.android.com/guide/topics/providers/content-provider-basics -- https://developer.android.com/privacy-and-security/risks/content-resolver -- https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename +- https://developer.android.com/reference/android/content/ContentProvider +- https://developer.android.com/reference/android/content/ContentResolver status: new --- ## Overview -Insecure content provider usage occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. +This weakness occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. From 5f5277a91105db805ad1fb7a438a18db00145a99 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:19:28 +0000 Subject: [PATCH 04/14] Align MASWE-0064 overview opening sentence with guideline format Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 0e3559c..5b33e24 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -20,7 +20,7 @@ status: new ## Overview -This weakness occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. +Insecure content provider usage occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. From bdfb34bdc36509510b4148f71e65b0f3b0c24daf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:19:59 +0000 Subject: [PATCH 05/14] Polish MASWE-0064 introduction and modes of introduction wording Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 5b33e24..8977ada 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -20,7 +20,7 @@ status: new ## Overview -Insecure content provider usage occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. +Content provider trust boundary weakness occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. @@ -28,11 +28,11 @@ The weakness can appear in both provider implementations and client code. Provid ## Modes of Introduction -- Developers configure a provider as exported, or with weak read/write permissions, when the data was intended only for internal app use. -- Developers rely only on manifest declarations and omit runtime validation of caller identity, URI patterns, or requested operations in provider methods. -- Developers consume data from external providers through `ContentResolver` APIs and trust returned columns, MIME types, or filenames without sanitization and canonicalization. -- Developers open file descriptors or create local files based on provider-supplied metadata without constraining paths and destinations to app-controlled locations. -- Third-party SDKs or cross-platform plugins add provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. +- A provider is configured as exported, or with weak read/write permissions, when the data was intended only for internal app use. +- Runtime validation of caller identity, URI patterns, or requested operations is omitted in provider methods, relying only on manifest declarations. +- Data returned by external providers through `ContentResolver` APIs is treated as trusted without sanitization and canonicalization of columns, MIME types, or filenames. +- File descriptors are opened and local files are created from provider-supplied metadata without constraining paths and destinations to app-controlled locations. +- Third-party SDKs or cross-platform plugins introduce provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. ## Impact From d0ec69d4a1837a10e4b0559360cc11eb128c90f2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:20:27 +0000 Subject: [PATCH 06/14] Finalize MASWE-0064 wording per review feedback Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 8977ada..776cee0 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -20,7 +20,7 @@ status: new ## Overview -Content provider trust boundary weakness occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. +Content provider boundary violation occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. @@ -30,7 +30,7 @@ The weakness can appear in both provider implementations and client code. Provid - A provider is configured as exported, or with weak read/write permissions, when the data was intended only for internal app use. - Runtime validation of caller identity, URI patterns, or requested operations is omitted in provider methods, relying only on manifest declarations. -- Data returned by external providers through `ContentResolver` APIs is treated as trusted without sanitization and canonicalization of columns, MIME types, or filenames. +- Data returned by external providers through `ContentResolver` APIs is treated as trusted without sanitization or canonicalization of columns, MIME types, or filenames. - File descriptors are opened and local files are created from provider-supplied metadata without constraining paths and destinations to app-controlled locations. - Third-party SDKs or cross-platform plugins introduce provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. From 0e04bdea6fcd947e8e616e41b8ab66c69d7902f6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:20:58 +0000 Subject: [PATCH 07/14] Use developer-facing wording in MASWE-0064 introduction bullets Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 776cee0..55b890e 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -20,7 +20,7 @@ status: new ## Overview -Content provider boundary violation occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. +Insecure content provider usage occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. @@ -28,8 +28,8 @@ The weakness can appear in both provider implementations and client code. Provid ## Modes of Introduction -- A provider is configured as exported, or with weak read/write permissions, when the data was intended only for internal app use. -- Runtime validation of caller identity, URI patterns, or requested operations is omitted in provider methods, relying only on manifest declarations. +- Developers export providers, or configure weak read/write permissions, when data was intended only for internal app use. +- Developers omit runtime validation of caller identity, URI patterns, or requested operations in provider methods and rely only on manifest declarations. - Data returned by external providers through `ContentResolver` APIs is treated as trusted without sanitization or canonicalization of columns, MIME types, or filenames. - File descriptors are opened and local files are created from provider-supplied metadata without constraining paths and destinations to app-controlled locations. - Third-party SDKs or cross-platform plugins introduce provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. From 6d475ea7268165c39043778aeb02c0db501a1371 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 18 Apr 2026 11:21:31 +0000 Subject: [PATCH 08/14] Clarify MASWE-0064 causes and impact language Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114 Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 55b890e..9884f0f 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -28,17 +28,17 @@ The weakness can appear in both provider implementations and client code. Provid ## Modes of Introduction -- Developers export providers, or configure weak read/write permissions, when data was intended only for internal app use. -- Developers omit runtime validation of caller identity, URI patterns, or requested operations in provider methods and rely only on manifest declarations. +- Developers export providers or configure weak read/write permissions when data is intended only for internal app use. +- Developers rely on manifest declarations alone and omit runtime validation of caller identity, URI patterns, and requested operations in provider methods. - Data returned by external providers through `ContentResolver` APIs is treated as trusted without sanitization or canonicalization of columns, MIME types, or filenames. -- File descriptors are opened and local files are created from provider-supplied metadata without constraining paths and destinations to app-controlled locations. +- Developers use provider-supplied metadata to open file descriptors or create local files without constraining paths and destinations to app-controlled locations. - Third-party SDKs or cross-platform plugins introduce provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. ## Impact - Unauthorized apps can read sensitive records or files exposed by a misconfigured provider. - Unauthorized apps can modify or delete shared data, causing integrity loss and business logic manipulation. -- Malicious providers can supply crafted metadata or filenames that cause insecure file handling in the consuming app. +- Malicious providers can supply crafted metadata or filenames that enable path traversal or arbitrary file write in the consuming app. - Attackers can trigger overwrite or placement of files in unintended app-accessible locations when path handling is not constrained. - Compromised provider trust boundaries can enable follow-on attacks such as privilege misuse, data exfiltration, or persistence of tampered content. From 1cab69664ddffd64daefec92154b1075082e9763 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sat, 18 Apr 2026 13:58:30 +0200 Subject: [PATCH 09/14] update and review --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 54 +++++++++++++------------ 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 9884f0f..904edde 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -1,51 +1,55 @@ --- title: Insecure Content Providers id: MASWE-0064 -alias: insecure-content-providers +alias: MASWE-0064 platform: [android] profiles: [L1, L2] mappings: masvs-v1: [MSTG-STORAGE-6] masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-1] - cwe: [20, 73, 926] + cwe: [926] android-risks: - - https://developer.android.com/privacy-and-security/risks/content-resolver - - https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename + - https://developer.android.com/topic/security/risks/content-resolver refs: -- https://developer.android.com/guide/topics/providers/content-provider-basics -- https://developer.android.com/reference/android/content/ContentProvider -- https://developer.android.com/reference/android/content/ContentResolver + - https://developer.android.com/reference/androidx/core/content/FileProvider + - https://developer.android.com/topic/security/risks/file-providers + - https://developer.android.com/privacy-and-security/security-tips#content-providers status: new --- ## Overview -Insecure content provider usage occurs when an app exposes or consumes data through `ContentProvider` and `ContentResolver` interfaces without enforcing trust boundaries, access restrictions, and input validation. +Content Providers are an Android Inter-Process Communication (IPC) mechanism that enables structured data sharing between apps, backed by databases, files, or other storage mechanisms. -Content providers are designed to share structured data between apps through content URIs, including metadata and file-backed resources. This model is powerful for interoperability, but it also creates an inter-process boundary where untrusted callers and untrusted providers can influence data access and file operations. +The availability of insecure Content Providers occurs when an app exposes a Content Provider without adequate access restrictions, allowing other apps on the device to read, modify, or delete data they shouldn't have access to. -The weakness can appear in both provider implementations and client code. Providers may overexpose data through incorrect export settings or insufficient permission checks, while clients may treat provider-returned values as trusted even though they originate outside the app's trust domain. + +A Content Provider that is exported without proper permission enforcement or that grants overly broad URI permissions can be queried or manipulated by any app on the device. File-based providers, such as `FileProvider`, present additional risk when misconfigured: they can expose files from the app's private directories to arbitrary callers. + +The severity depends on the type of data the provider exposes. Providers that serve authentication tokens, personal data, or internal files pose a higher risk than those that share non-sensitive, public content. ## Modes of Introduction -- Developers export providers or configure weak read/write permissions when data is intended only for internal app use. -- Developers rely on manifest declarations alone and omit runtime validation of caller identity, URI patterns, and requested operations in provider methods. -- Data returned by external providers through `ContentResolver` APIs is treated as trusted without sanitization or canonicalization of columns, MIME types, or filenames. -- Developers use provider-supplied metadata to open file descriptors or create local files without constraining paths and destinations to app-controlled locations. -- Third-party SDKs or cross-platform plugins introduce provider components or provider-consuming flows with permissive defaults that bypass the app's intended sharing model. +- The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` without setting a `android:permission`, `android:readPermission`, or `android:writePermission` attribute. +- The app targets an API level below 17, where Content Providers are exported by default unless explicitly set to `android:exported="false"`. +- A `FileProvider` is configured with overly broad path rules (e.g., sharing the root of internal storage via ``) that expose files beyond what the app intends. +- The app grants URI permissions with `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` in intents sent to untrusted components, allowing the receiver to access provider data without holding a permanent permission. +- The app defines a custom permission with `android:protectionLevel="normal"` to guard the provider, which any app can request and obtain without user approval. ## Impact -- Unauthorized apps can read sensitive records or files exposed by a misconfigured provider. -- Unauthorized apps can modify or delete shared data, causing integrity loss and business logic manipulation. -- Malicious providers can supply crafted metadata or filenames that enable path traversal or arbitrary file write in the consuming app. -- Attackers can trigger overwrite or placement of files in unintended app-accessible locations when path handling is not constrained. -- Compromised provider trust boundaries can enable follow-on attacks such as privilege misuse, data exfiltration, or persistence of tampered content. +- **Unauthorized Access**: Read access to sensitive data stored in the provider, such as personal information, or application secrets. +- **Data tampering or deletion**: Through unintended access by a malicious app that writes to or deletes records in an unprotected provider, potentially corrupting app state or causing denial of service. +- **Local file disclosure**: Through a misconfigured `FileProvider` that exposes internal files (databases, shared preferences, or configuration files) to other apps. +- **Privilege escalation**: When an attacker chains provider access with other vulnerabilities to gain further control over the app or user data. ## Mitigations -- Keep providers non-exported by default, and only export when cross-app sharing is explicitly required. -- Protect exported providers with the narrowest feasible read and write permissions, and enforce additional runtime authorization checks. -- Validate and constrain every incoming URI, selection argument, and operation before processing provider requests. -- Treat all data returned by external providers as untrusted, and sanitize metadata such as display names, MIME types, and paths before use. -- Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. +- **Secure Default**: Content providers are non-exported by default since API Level 17. Only set `android:exported="true"` in the Android Manifest, when cross-app sharing of data is explicitly required. +- **Least Privilege**: Protect exported content providers with narrow read and write permissions +- **Runtime Checks**: Enforce additional runtime authorization checks, by using []`checkCallingPermission`](https://developer.android.com/reference/android/content/Context#checkCallingPermission(java.lang.String)) +- **Validate Paths**: Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. Additionally, restrict `FileProvider` path configurations to the narrowest directory needed and avoid using ``. +- **Protection Level: Signature**: To effectively restrict access, the custom permission should use the [`signature` protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel), which limits access to apps signed with the same certificate. + +!!! `Signature Permission` + Requiring `signature` for all exported providers might break legitimate cross-app data sharing, therefore it is necessary to understand what the intention of the content provider is. From ac17222862ff7ba0912fe3c2454b14e50de23839 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sat, 18 Apr 2026 14:02:20 +0200 Subject: [PATCH 10/14] update --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 904edde..741f456 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -1,7 +1,7 @@ --- title: Insecure Content Providers id: MASWE-0064 -alias: MASWE-0064 +alias: insecure-content-providers platform: [android] profiles: [L1, L2] mappings: @@ -23,18 +23,16 @@ Content Providers are an Android Inter-Process Communication (IPC) mechanism tha The availability of insecure Content Providers occurs when an app exposes a Content Provider without adequate access restrictions, allowing other apps on the device to read, modify, or delete data they shouldn't have access to. - A Content Provider that is exported without proper permission enforcement or that grants overly broad URI permissions can be queried or manipulated by any app on the device. File-based providers, such as `FileProvider`, present additional risk when misconfigured: they can expose files from the app's private directories to arbitrary callers. The severity depends on the type of data the provider exposes. Providers that serve authentication tokens, personal data, or internal files pose a higher risk than those that share non-sensitive, public content. ## Modes of Introduction -- The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` without setting a `android:permission`, `android:readPermission`, or `android:writePermission` attribute. -- The app targets an API level below 17, where Content Providers are exported by default unless explicitly set to `android:exported="false"`. +- **Exported Provider**: The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` +- **Missing Authorization**: Setting the `android:permission`, `android:readPermission`, or `android:writePermission` attributes are missing, allowing any app on the device to read and write to the content provider. - A `FileProvider` is configured with overly broad path rules (e.g., sharing the root of internal storage via ``) that expose files beyond what the app intends. - The app grants URI permissions with `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` in intents sent to untrusted components, allowing the receiver to access provider data without holding a permanent permission. -- The app defines a custom permission with `android:protectionLevel="normal"` to guard the provider, which any app can request and obtain without user approval. ## Impact From 5e11b14b5a00e3ebac00f78a32d87b939abb94bb Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 19 Apr 2026 16:12:52 +0200 Subject: [PATCH 11/14] update draft --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 741f456..540e081 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -19,7 +19,7 @@ status: new ## Overview -Content Providers are an Android Inter-Process Communication (IPC) mechanism that enables structured data sharing between apps, backed by databases, files, or other storage mechanisms. +Content Providers are an Android Inter-Process Communication (IPC) mechanism that enables structured data sharing between apps, and offers access to databases, files, or other storage mechanisms. The availability of insecure Content Providers occurs when an app exposes a Content Provider without adequate access restrictions, allowing other apps on the device to read, modify, or delete data they shouldn't have access to. @@ -29,24 +29,25 @@ The severity depends on the type of data the provider exposes. Providers that se ## Modes of Introduction -- **Exported Provider**: The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` -- **Missing Authorization**: Setting the `android:permission`, `android:readPermission`, or `android:writePermission` attributes are missing, allowing any app on the device to read and write to the content provider. -- A `FileProvider` is configured with overly broad path rules (e.g., sharing the root of internal storage via ``) that expose files beyond what the app intends. -- The app grants URI permissions with `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` in intents sent to untrusted components, allowing the receiver to access provider data without holding a permanent permission. +- **Overly Broad FileProvider Paths**: A `FileProvider` is configured with overly broad `path` attributes (e.g., `path="."`) that share an entire directory rather than a narrow subdirectory, exposing files beyond what the app intends. +- **Exported Content Provider**: The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` without restricting access through permissions. +- **Missing Authorization**: The `android:permission`, `android:readPermission`, or `android:writePermission` attributes are not set, allowing any app on the device to read and write to the exported Content Provider. +- **Unscoped URI Permission Grants**: The app grants URI permissions with `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` in intents sent to untrusted components, allowing the receiver to access provider data without holding a permanent permission. ## Impact - **Unauthorized Access**: Read access to sensitive data stored in the provider, such as personal information, or application secrets. - **Data tampering or deletion**: Through unintended access by a malicious app that writes to or deletes records in an unprotected provider, potentially corrupting app state or causing denial of service. -- **Local file disclosure**: Through a misconfigured `FileProvider` that exposes internal files (databases, shared preferences, or configuration files) to other apps. +- **Local file disclosure**: Through a misconfigured `FileProvider` that exposes internal files to other apps. - **Privilege escalation**: When an attacker chains provider access with other vulnerabilities to gain further control over the app or user data. ## Mitigations +- **Validate Paths for FileProviders**: Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. Additionally, restrict `FileProvider` path configurations to the narrowest directory needed (e.g., `path="images/"`) rather than sharing an entire directory with `path="."`. - **Secure Default**: Content providers are non-exported by default since API Level 17. Only set `android:exported="true"` in the Android Manifest, when cross-app sharing of data is explicitly required. -- **Least Privilege**: Protect exported content providers with narrow read and write permissions -- **Runtime Checks**: Enforce additional runtime authorization checks, by using []`checkCallingPermission`](https://developer.android.com/reference/android/content/Context#checkCallingPermission(java.lang.String)) -- **Validate Paths**: Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. Additionally, restrict `FileProvider` path configurations to the narrowest directory needed and avoid using ``. +- **Least Privilege**: Protect exported content providers with narrow read and write permissions to [restrict interactions with it](https://developer.android.com/training/permissions/restrict-interactions#content-providers). +- **Runtime Checks**: Enforce additional runtime authorization checks by using [`checkCallingPermission` or `checkPermission`](https://developer.android.com/training/permissions/restrict-interactions). +- **Scope URI Permissions**: Grant URI permissions on a [per-URI basis](https://developer.android.com/training/permissions/restrict-interactions#uri) rather than to the entire provider. Use `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` for temporary, scoped access and revoke them with `revokeUriPermission()` as soon as they are no longer needed. - **Protection Level: Signature**: To effectively restrict access, the custom permission should use the [`signature` protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel), which limits access to apps signed with the same certificate. !!! `Signature Permission` From adee92df20161669747e267615be7d1ad032f3f9 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Wed, 3 Jun 2026 10:26:03 +0200 Subject: [PATCH 12/14] updated content after review with Claude and align with demos and tests --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 540e081..a005749 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -21,9 +21,7 @@ status: new Content Providers are an Android Inter-Process Communication (IPC) mechanism that enables structured data sharing between apps, and offers access to databases, files, or other storage mechanisms. -The availability of insecure Content Providers occurs when an app exposes a Content Provider without adequate access restrictions, allowing other apps on the device to read, modify, or delete data they shouldn't have access to. - -A Content Provider that is exported without proper permission enforcement or that grants overly broad URI permissions can be queried or manipulated by any app on the device. File-based providers, such as `FileProvider`, present additional risk when misconfigured: they can expose files from the app's private directories to arbitrary callers. +A Content Provider that is exported without proper permission enforcement and protection levels or that grants overly broad URI permissions can be queried or manipulated by any app on the device. File-based providers, such as `FileProvider`, present additional risk when misconfigured: they can expose files from the app's private directories to arbitrary callers. The severity depends on the type of data the provider exposes. Providers that serve authentication tokens, personal data, or internal files pose a higher risk than those that share non-sensitive, public content. @@ -32,23 +30,23 @@ The severity depends on the type of data the provider exposes. Providers that se - **Overly Broad FileProvider Paths**: A `FileProvider` is configured with overly broad `path` attributes (e.g., `path="."`) that share an entire directory rather than a narrow subdirectory, exposing files beyond what the app intends. - **Exported Content Provider**: The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` without restricting access through permissions. - **Missing Authorization**: The `android:permission`, `android:readPermission`, or `android:writePermission` attributes are not set, allowing any app on the device to read and write to the exported Content Provider. +- **Weak Protection Level**: The custom permission guarding the provider is declared with a weak [protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel) such as `normal`, allowing any app that requests it to gain access. - **Unscoped URI Permission Grants**: The app grants URI permissions with `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` in intents sent to untrusted components, allowing the receiver to access provider data without holding a permanent permission. ## Impact -- **Unauthorized Access**: Read access to sensitive data stored in the provider, such as personal information, or application secrets. -- **Data tampering or deletion**: Through unintended access by a malicious app that writes to or deletes records in an unprotected provider, potentially corrupting app state or causing denial of service. -- **Local file disclosure**: Through a misconfigured `FileProvider` that exposes internal files to other apps. -- **Privilege escalation**: When an attacker chains provider access with other vulnerabilities to gain further control over the app or user data. +- **Unauthorized Access**: Read access to sensitive data stored in the provider, such as personal information or application secrets. +- **Data Tampering or Deletion**: Unauthorized writes or deletions by a malicious app on records in an unprotected provider, potentially corrupting app state or causing denial of service. +- **Local File Disclosure**: Exposure of internal files to other apps through a misconfigured `FileProvider`. +- **Privilege Escalation**: Further control over the app or user data when an attacker chains provider access with other vulnerabilities. ## Mitigations - **Validate Paths for FileProviders**: Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. Additionally, restrict `FileProvider` path configurations to the narrowest directory needed (e.g., `path="images/"`) rather than sharing an entire directory with `path="."`. -- **Secure Default**: Content providers are non-exported by default since API Level 17. Only set `android:exported="true"` in the Android Manifest, when cross-app sharing of data is explicitly required. +- **Secure Default**: Rely on the platform default (content providers are non-exported by default since API Level 17). Only set `android:exported="true"` in the Android Manifest when cross-app sharing of data is explicitly required. - **Least Privilege**: Protect exported content providers with narrow read and write permissions to [restrict interactions with it](https://developer.android.com/training/permissions/restrict-interactions#content-providers). -- **Runtime Checks**: Enforce additional runtime authorization checks by using [`checkCallingPermission` or `checkPermission`](https://developer.android.com/training/permissions/restrict-interactions). - **Scope URI Permissions**: Grant URI permissions on a [per-URI basis](https://developer.android.com/training/permissions/restrict-interactions#uri) rather than to the entire provider. Use `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` for temporary, scoped access and revoke them with `revokeUriPermission()` as soon as they are no longer needed. -- **Protection Level: Signature**: To effectively restrict access, the custom permission should use the [`signature` protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel), which limits access to apps signed with the same certificate. +- **Use a Strong Protection Level**: Declare the custom permission with the [`signature` protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel) to limit access to apps signed with the same certificate, or with `dangerous` to require explicit user consent. !!! `Signature Permission` - Requiring `signature` for all exported providers might break legitimate cross-app data sharing, therefore it is necessary to understand what the intention of the content provider is. + Requiring `signature` for all exported providers might break legitimate cross-app data sharing; understand the intended purpose of the content provider before choosing a protection level. From 529d646298fa4e9ff5be6ee7236e0de1b78c9df9 Mon Sep 17 00:00:00 2001 From: Sven Date: Wed, 3 Jun 2026 10:33:14 +0200 Subject: [PATCH 13/14] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index a005749..49e61ee 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -48,5 +48,5 @@ The severity depends on the type of data the provider exposes. Providers that se - **Scope URI Permissions**: Grant URI permissions on a [per-URI basis](https://developer.android.com/training/permissions/restrict-interactions#uri) rather than to the entire provider. Use `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` for temporary, scoped access and revoke them with `revokeUriPermission()` as soon as they are no longer needed. - **Use a Strong Protection Level**: Declare the custom permission with the [`signature` protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel) to limit access to apps signed with the same certificate, or with `dangerous` to require explicit user consent. -!!! `Signature Permission` +!!! Warning "Signature Permission" Requiring `signature` for all exported providers might break legitimate cross-app data sharing; understand the intended purpose of the content provider before choosing a protection level. From 38cc6b2a2ba110f516cdac2bfd546647cad1073a Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Wed, 3 Jun 2026 10:42:19 +0200 Subject: [PATCH 14/14] update links and cwe --- .github/instructions/maswe.instructions.md | 2 +- weaknesses/MASVS-PLATFORM/MASWE-0064.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/instructions/maswe.instructions.md b/.github/instructions/maswe.instructions.md index f7dbe08..259219a 100644 --- a/.github/instructions/maswe.instructions.md +++ b/.github/instructions/maswe.instructions.md @@ -73,7 +73,7 @@ Field rules: - **mappings.masvs-v2**: One or more MASVS v2 controls this weakness helps verify. At least one entry is required. - **cwe**: One or more CWE IDs that correspond to this weakness. This helps link to the broader software security ecosystem. - **android-risks**: One or more specific risks from the Android developer documentation (https://developer.android.com/privacy-and-security/risks) that correspond to this weakness. This is an optional field that can help link to Android-specific guidance, but it should only be used when there is a clear match -- **refs**: External references. Prefer stable, vendor-neutral sources (official platform docs, CWE, NIST, academic papers). +- **refs**: External references. Prefer stable, vendor-neutral sources (official platform docs, NIST, academic papers). - **status**: When you generate a new MASWE draft, set `status: new`. diff --git a/weaknesses/MASVS-PLATFORM/MASWE-0064.md b/weaknesses/MASVS-PLATFORM/MASWE-0064.md index 49e61ee..0565685 100644 --- a/weaknesses/MASVS-PLATFORM/MASWE-0064.md +++ b/weaknesses/MASVS-PLATFORM/MASWE-0064.md @@ -10,9 +10,9 @@ mappings: cwe: [926] android-risks: - https://developer.android.com/topic/security/risks/content-resolver + - - https://developer.android.com/topic/security/risks/file-providers refs: - https://developer.android.com/reference/androidx/core/content/FileProvider - - https://developer.android.com/topic/security/risks/file-providers - https://developer.android.com/privacy-and-security/security-tips#content-providers status: new ---