摘要:Flickr latest Android app(Version: 2.1.5) ContentProvider security issue
It's not a severe security issue and I decide to tell all the Android developers this issue to help avoid making the same bug in the future.
What happen if the "android:exported" attribute of the ContentProvider is not set (under "android:targetSdkVersion" >= 17) ? It malfunctions in some devices.
[Android]
Inside the AndroidManifest.xml.
I found the following two content provider are all "signature" protection level.
1.Content Provider => com.yahoo.mobile.client.android.flickr.provider.FlickrProvider
2.Content Provider => com.yahoo.mobile.client.android.flickr.ui.upload.MultipleUploadProvider
<<<But the problem is they both do not set the "android:exported" attribute.>>>
Please check this document carefully: http://developer.android.com/guide/topics/manifest/provider-element.html#exported
1.For Android app that sets "android:targetSdkVersion" < 17, the exported value of ContentProvider is "true" by default.
2.For Android app that sets "android:targetSdkVersion" >= 17, the exported value of ContentProvider is "false" by default.
I decompiled "Flickr.apk" and saw the "android:targetSdkVersion" of Flickr is "17", so it matches the second condition(ContentProvider is "false" by default in Android >= 4.2).
Which mean even if the Flickr's Content Providers are protected by "signature" permission, if you do not explicitly set the "android:exported" attribute to "true", on Android devices API >= 17 devices, No other apps including the apps signed by Yahoo and Flickr can access these "signature" protectionLevel providers, but they work normally on API < 17 devices so you may not discover that issue.
Please make sure to set exported to "true" if you initially want other Yahoo or Flickr's or your apps signed with the same keystore to access these Content Providers.
Because I do not have "Yahoo!" keystore, I cannot sign with the same signature as Yahoo!.
I cannot demo Flickr PoC, so I wrote a demo app instead.
I've made an app and set the following two AndroidManifest.xml configs as Flickr did to make sure you understand how severe the issue is:
- android:minSdkVersion="10"
- android:targetSdkVersion="17"
The content provider "ExtendedContentProvider" of my demo app does not set the default "android:exported" attribute, and it's with a android:protectionLevel="signature" permission protected.
All of the configurations now are the same as Flickr's provider (FlickrProvider).
[Proof-of-Concept]
Download the two demo apks:
- https://www.dropbox.com/s/7roiztiu260iaq1/AndroidContentProviderDad.apk
- https://www.dropbox.com/s/kb3u8a94lnpgdd2/AndroidContentProviderSon.apk
Create any Android emulator with API level < 17. I take "Android emulator 4.1" as an example.
- Install the "AndroidContentProviderDad.apk" app in the attachment. (you can use "adb install xxx.apk" command)
- Open the AndroidContentProviderDad app and click "Random insert" button 3 times to add 3 items.
- Click "List All" button to confirm the added items. Also, you can now see the Toast message showing total 3 items.
- Install the "AndroidContentProviderSon.apk" app in the attachment and later open the app. This app is to call the ContentProvider of "AndroidContentProviderDad".
- Click the "Call Dad's ContentProvider" button
- Check the item result under the "Call Dad's ContentProvider" button.
※Repeat the 1-6 steps again in Android emulator with API level >=17. I took "Android emulator 4.2" as an example. When you come to the step 6, it CRASHES because of the "java.lang.SecurityException: Permission Denial ..." issue.
Do you understand what's happening now?
- The same app in Android emulator 4.1 => it works normally
- The same app in Android emulator 4.2 => it crashes because of the Android security issues
So Flickr Android app also has this issue! Other Yahoo! signed apps calling Flickr "FlickrProvider" will absolutely crash on Android >= 4.2 devices but Yahoo! think it should work as usual all the time.
Source code of the POC demo apks:
