Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/instructions/maswe.instructions.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ Field rules:
- **mappings.masvs-v2**: One or more MASVS v2 controls this weakness helps verify. At least one entry is required.
- **cwe**: One or more CWE IDs that correspond to this weakness. This helps link to the broader software security ecosystem.
- **android-risks**: One or more specific risks from the Android developer documentation (https://developer.android.com/privacy-and-security/risks) that correspond to this weakness. This is an optional field that can help link to Android-specific guidance, but it should only be used when there is a clear match
- **refs**: External references. Prefer stable, vendor-neutral sources (official platform docs, CWE, NIST, academic papers).
- **refs**: External references. Prefer stable, vendor-neutral sources (official platform docs, NIST, academic papers).
- **status**: When you generate a new MASWE draft, set
`status: new`.

Expand Down
56 changes: 39 additions & 17 deletions weaknesses/MASVS-PLATFORM/MASWE-0064.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,23 +8,45 @@ mappings:
masvs-v1: [MSTG-STORAGE-6]
masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-1]
cwe: [926]

android-risks:
- https://developer.android.com/topic/security/risks/content-resolver
Comment thread
sushi2k marked this conversation as resolved.
- - https://developer.android.com/topic/security/risks/file-providers
refs:
- https://developer.android.com/topic/security/risks/content-resolver
- https://developer.android.com/reference/androidx/core/content/FileProvider
- https://developer.android.com/topic/security/risks/file-providers
- https://developer.android.com/privacy-and-security/security-tips#ContentProviders
draft:
description: Unintentionally exported content providers, unprotected content providers,
permission tags, protection level
topics:
- file-system based
- FileProvider (Android)
- database based
- exposed
- permission tags
- protection level
status: placeholder

- https://developer.android.com/reference/androidx/core/content/FileProvider
- https://developer.android.com/privacy-and-security/security-tips#content-providers
status: new
---

## Overview

Content Providers are an Android Inter-Process Communication (IPC) mechanism that enables structured data sharing between apps, and offers access to databases, files, or other storage mechanisms.
Comment thread
sushi2k marked this conversation as resolved.

A Content Provider that is exported without proper permission enforcement and protection levels or that grants overly broad URI permissions can be queried or manipulated by any app on the device. File-based providers, such as `FileProvider`, present additional risk when misconfigured: they can expose files from the app's private directories to arbitrary callers.

The severity depends on the type of data the provider exposes. Providers that serve authentication tokens, personal data, or internal files pose a higher risk than those that share non-sensitive, public content.

## Modes of Introduction

- **Overly Broad FileProvider Paths**: A `FileProvider` is configured with overly broad `path` attributes (e.g., `path="."`) that share an entire directory rather than a narrow subdirectory, exposing files beyond what the app intends.
- **Exported Content Provider**: The app declares a Content Provider with `android:exported="true"` in the `AndroidManifest.xml` without restricting access through permissions.
- **Missing Authorization**: The `android:permission`, `android:readPermission`, or `android:writePermission` attributes are not set, allowing any app on the device to read and write to the exported Content Provider.
- **Weak Protection Level**: The custom permission guarding the provider is declared with a weak [protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel) such as `normal`, allowing any app that requests it to gain access.
- **Unscoped URI Permission Grants**: The app grants URI permissions with `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` in intents sent to untrusted components, allowing the receiver to access provider data without holding a permanent permission.

## Impact

- **Unauthorized Access**: Read access to sensitive data stored in the provider, such as personal information or application secrets.
- **Data Tampering or Deletion**: Unauthorized writes or deletions by a malicious app on records in an unprotected provider, potentially corrupting app state or causing denial of service.
- **Local File Disclosure**: Exposure of internal files to other apps through a misconfigured `FileProvider`.
- **Privilege Escalation**: Further control over the app or user data when an attacker chains provider access with other vulnerabilities.

## Mitigations

- **Validate Paths for FileProviders**: Restrict file operations to app-controlled directories, canonicalize paths before writing, and reject path traversal or ambiguous path inputs. Additionally, restrict `FileProvider` path configurations to the narrowest directory needed (e.g., `path="images/"`) rather than sharing an entire directory with `path="."`.
- **Secure Default**: Rely on the platform default (content providers are non-exported by default since API Level 17). Only set `android:exported="true"` in the Android Manifest when cross-app sharing of data is explicitly required.
- **Least Privilege**: Protect exported content providers with narrow read and write permissions to [restrict interactions with it](https://developer.android.com/training/permissions/restrict-interactions#content-providers).
- **Scope URI Permissions**: Grant URI permissions on a [per-URI basis](https://developer.android.com/training/permissions/restrict-interactions#uri) rather than to the entire provider. Use `FLAG_GRANT_READ_URI_PERMISSION` or `FLAG_GRANT_WRITE_URI_PERMISSION` for temporary, scoped access and revoke them with `revokeUriPermission()` as soon as they are no longer needed.
- **Use a Strong Protection Level**: Declare the custom permission with the [`signature` protection level](https://developer.android.com/guide/topics/manifest/permission-element#plevel) to limit access to apps signed with the same certificate, or with `dangerous` to require explicit user consent.

!!! Warning "Signature Permission"
Requiring `signature` for all exported providers might break legitimate cross-app data sharing; understand the intended purpose of the content provider before choosing a protection level.
Loading