Insecure File Provider Paths Setting

Insecure File Provider Paths Setting

Risk: high

Description

The application exposes a file provider using androidx.core.content.FileProvider. The provider specifies available files in the metadata child attribute with the name android.support.FILE_PROVIDER_PATHS.

The attribute is required to generate URI for directories specified android.support.FILE_PROVIDER_PATHS configuration file.

Android defines multiple paths types:

<files-path name="name" path="path" />

• Represent files in the files/ subdirectory of your app's internal storage area. This subdirectory is the same as the value returned by Context.getFilesDir().

<cache-path name="name" path="path" />

• Represent files in the cache subdirectory of your app's internal storage area. The root path of this subdirectory is the same as the value returned by getCacheDir().

<external-path name="name" path="path" />

• Represent files in the root of the external storage area. The root path of this subdirectory is the same as the value returned by Environment.getExternalStorageDirectory().

<external-files-path name="name" path="path" />

• Represent files in the root of your app's external storage area. The root path of this subdirectory is the same as the value returned by Context.getExternalFilesDir(null).

<external-cache-path name="name" path="path" />

• files in the root of your app's external cache area. The root path of this subdirectory is the same as the value returned by Context.getExternalCacheDir().

<external-media-path name="name" path="path" />

• Represent files in the root of your app's external media area. The root path of this subdirectory is the same as the value returned by the first result of Context.getExternalMediaDirs().

The application specifies a permissive android.support.FILE_PROVIDER_PATHS.

Recommendation

Avoid permissive settings when using external-path, like '.'.

Prefer external-files-path or use specific folders:

<?xml version="1.0" encoding="utf-8"?>
<paths>
    <external-path
        name="downloads"
        path="Download/" />
</paths>

Links

• Exploiting Path Traversal in PSPDFKit
• Security Tips (Android developer)
• FileProvider (Android developer)

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_2
  • MSTG_PLATFORM_4
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_2
  • MSTG_PLATFORM_4