Introduction

Android Content Providers are a fundamental component for managing and sharing structured data between applications. While powerful, their improper implementation can expose sensitive data and lead to critical vulnerabilities, such as SQL Injection. This article delves into a real-world scenario, demonstrating a full exploitation chain of an Android Content Provider SQL Injection, from initial discovery to data exfiltration, and highlights the use of advanced tools like Frida for dynamic analysis.

Understanding Android Content Providers

Content Providers act as an interface for accessing structured data, similar to a database. They encapsulate data and provide mechanisms for defining data security. Other applications can interact with a Content Provider to query, insert, update, or delete data, provided they have the necessary permissions. Data sources for Content Providers can include databases (SQLite is common), files, or even network data.

Key Characteristics:

• URIs: Content Providers expose data through unique URIs, typically in the format content://authority/path/id.
• Methods: They implement standard CRUD operations: query(), insert(), update(), and delete().
• Permissions: Access control is managed through Android permissions defined in the AndroidManifest.xml.
• Exported Attribute: A Content Provider can be marked as exported="true" in the manifest, making it accessible to other applications. This is where many vulnerabilities begin.

Identifying Vulnerable Content Providers

The first step in exploiting a Content Provider is identifying potential targets. We look for Content Providers that are exported and handle user-controlled input in their query methods without proper sanitization.

Manifest Analysis (AndroidManifest.xml):

Using tools like apktool or directly examining the APK, we can find Content Providers declared in the manifest:

<provider
    android:name=".MyVulnerableProvider"
    android:authorities="com.example.app.provider"
    android:exported="true"/
>

The android:exported="true" attribute is a red flag, indicating the provider can be accessed by any application.

Using Drozer for Enumeration:

Drozer is an excellent tool for interacting with Android components. To list all exported Content Providers:

dz app.provider.info -a com.example.vulnerableapp

Or to find potential injection points:

dz scanner.provider.finduris
dz scanner.provider.injection

The Vulnerability: SQL Injection in query()

A common Content Provider SQL Injection arises when the query() method’s selection argument is directly concatenated into a raw SQL query without parameterization. For example, consider a provider that retrieves user notes:

@Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
    SQLiteDatabase db = mOpenHelper.getReadableDatabase();
    // ... URI matching logic ...
    String finalQuery = "SELECT * FROM notes WHERE " + selection;
    // BAD: Directly concatenating selection into the query
    return db.rawQuery(finalQuery, selectionArgs);
}

If selectionArgs is null or not used, and selection is user-controlled, an attacker can inject arbitrary SQL.

Case Study: Exploiting com.example.securenotes.NotesProvider

Let’s simulate a real-world scenario with a hypothetical