Insecure File Provider Paths Setting
Insecure File Provider Paths Setting
Description
The application exposes a file provider using androidx.core.content.FileProvider
. The provider specifies available files in the metadata child attribute with the name android.support.FILE_PROVIDER_PATHS
.
The attribute is required to generate URI for directories specified android.support.FILE_PROVIDER_PATHS
configuration file.
Android defines multiple paths types:
<root-path name="name" path="path"/>
- Checking the documentation of the FileProvider , you will not find the
<root-path...>
among the available paths. This path although not documented is available and can be used to provide access to internal storage of the app along with/data
andsdcard
. This path grants access to protected parts of the app and of the device and thus exposes the application filesystem.
<files-path name="name" path="path"/>
- Represent files in the files/ subdirectory of your app's internal storage area. This subdirectory is the same as the value returned by
Context.getFilesDir()
.
<cache-path name="name" path="path"/>
- Represent files in the cache subdirectory of your app's internal storage area. The root path of this subdirectory is the same as the value returned by
getCacheDir()
.
<external-path name="name" path="path"/>
- Represent files in the root of the external storage area. The root path of this subdirectory is the same as the value returned by
Environment.getExternalStorageDirectory()
.
<external-files-path name="name" path="path"/>
- Represent files in the root of your app's external storage area. The root path of this subdirectory is the same as the value returned by
Context.getExternalFilesDir(null)
.
<external-cache-path name="name" path="path"/>
- files in the root of your app's external cache area. The root path of this subdirectory is the same as the value returned by
Context.getExternalCacheDir()
.
<external-media-path name="name" path="path"/>
- Represent files in the root of your app's external media area. The root path of this subdirectory is the same as the value returned by the first result of
Context.getExternalMediaDirs()
.
In the example below , we observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory).
<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
<root-path name="root" path="/"/>
</paths>
Intent Redirection
to steal sensitive data or Remote Code Execution
by overwriting native libraries.
Recommendation
An insecure file path provider is a vulnerability in Android apps where a file path is exposed to other apps or users, which could potentially compromise sensitive data or allow unauthorized access to system resources.
By making your app more secure, you help preserve user trust and device integrity, so to protect your app from this vulnerability, here are some recommendations:
- Be cautious about what files you share and only share files that are necessary and appropriate.
- Don't share sensitive files or files that contain sensitive information.
- When using external-path, avoid using permissive settings like '.' as the path.
- Avoid using
root-path
. - Don't assign the root path '/.' to the path attribute in any type of path.
- Use the
tag to control access to shared files. - Prefer using
external-files-path
path type. - Use specific folders for path attributes, check the following example:
<?xml version="1.0" encoding="utf-8"?>
<paths>
<external-path
name="downloads"
path="Download/" />
</paths>
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_2
- MSTG_PLATFORM_4
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- MSTG_PLATFORM_4
- CWE_TOP_25:
- CWE_22
- GDPR:
- ART_5
- ART_32
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_11_3