Skip to content

Insecure File Provider Paths Setting

Insecure File Provider Paths Setting

Description

The application exposes a file provider using androidx.core.content.FileProvider. The provider specifies available files in the metadata child attribute with the name android.support.FILE_PROVIDER_PATHS.

The attribute is required to generate URI for directories specified android.support.FILE_PROVIDER_PATHS configuration file.

Android defines multiple paths types:

<root-path name="name" path="path"/>
  • Checking the documentation of the FileProvider , you will not find the <root-path...> among the available paths. This path although not documented is available and can be used to provide access to internal storage of the app along with /data and sdcard. This path grants access to protected parts of the app and of the device and thus exposes the application filesystem.
<files-path name="name" path="path"/>
  • Represent files in the files/ subdirectory of your app's internal storage area. This subdirectory is the same as the value returned by Context.getFilesDir().
<cache-path name="name" path="path"/>
  • Represent files in the cache subdirectory of your app's internal storage area. The root path of this subdirectory is the same as the value returned by getCacheDir().
<external-path name="name" path="path"/>
  • Represent files in the root of the external storage area. The root path of this subdirectory is the same as the value returned by Environment.getExternalStorageDirectory().
<external-files-path name="name" path="path"/>
  • Represent files in the root of your app's external storage area. The root path of this subdirectory is the same as the value returned by Context.getExternalFilesDir(null).
<external-cache-path name="name" path="path"/>
  • files in the root of your app's external cache area. The root path of this subdirectory is the same as the value returned by Context.getExternalCacheDir().
<external-media-path name="name" path="path"/>
  • Represent files in the root of your app's external media area. The root path of this subdirectory is the same as the value returned by the first result of Context.getExternalMediaDirs().

In the example below , we observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory). 

<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
    <root-path name="root" path="/"/>
</paths>
This misconfiguration can be chained with other vulnerabilities like Intent Redirection to steal sensitive data or Remote Code Execution by overwriting native libraries.

Recommendation

An insecure file path provider is a vulnerability in Android apps where a file path is exposed to other apps or users, which could potentially compromise sensitive data or allow unauthorized access to system resources.

By making your app more secure, you help preserve user trust and device integrity, so to protect your app from this vulnerability, here are some recommendations:

  • Be cautious about what files you share and only share files that are necessary and appropriate.
  • Don't share sensitive files or files that contain sensitive information.
  • When using external-path, avoid using permissive settings like '.' as the path.
  • Avoid using root-path.
  • Don't assign the root path '/.' to the path attribute in any type of path.
  • Use the tag to control access to shared files.
  • Prefer using external-files-path path type.
  • Use specific folders for path attributes, check the following example:
<?xml version="1.0" encoding="utf-8"?>
<paths>
    <external-path
        name="downloads"
        path="Download/" />
</paths>

Standards

  • OWASP_MASVS_L1:
    • MSTG_PLATFORM_2
    • MSTG_PLATFORM_4
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_2
    • MSTG_PLATFORM_4
  • CWE_TOP_25:
    • CWE_22
  • GDPR:
    • ART_5
    • ART_32
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2
    • REQ_11_3