Insecure File Provider Paths Setting
Insecure File Provider Paths Setting
Description
The application exposes a file provider using androidx.core.content.FileProvider
. The provider specifies available files in the metadata child attribute with the name android.support.FILE_PROVIDER_PATHS
.
The attribute is required to generate URI for directories specified android.support.FILE_PROVIDER_PATHS
configuration file.
Android defines multiple paths types:
<root-path name="name" path="path"/>
- Checking the documentation of the FileProvider , you will not find the
<root-path...>
among the available paths. This path although not documented is available and can be used to provide access to internal storage of the app along with/data
andsdcard
. This path grants access to protected parts of the app and of the device and thus exposes the application filesystem.
<files-path name="name" path="path"/>
- Represent files in the files/ subdirectory of your app's internal storage area. This subdirectory is the same as the value returned by
Context.getFilesDir()
.
<cache-path name="name" path="path"/>
- Represent files in the cache subdirectory of your app's internal storage area. The root path of this subdirectory is the same as the value returned by
getCacheDir()
.
<external-path name="name" path="path"/>
- Represent files in the root of the external storage area. The root path of this subdirectory is the same as the value returned by
Environment.getExternalStorageDirectory()
.
<external-files-path name="name" path="path"/>
- Represent files in the root of your app's external storage area. The root path of this subdirectory is the same as the value returned by
Context.getExternalFilesDir(null)
.
<external-cache-path name="name" path="path"/>
- files in the root of your app's external cache area. The root path of this subdirectory is the same as the value returned by
Context.getExternalCacheDir()
.
<external-media-path name="name" path="path"/>
- Represent files in the root of your app's external media area. The root path of this subdirectory is the same as the value returned by the first result of
Context.getExternalMediaDirs()
.
In the example below , we observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory).
<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
<root-path name="root" path="/"/>
</paths>
Intent Redirection
to steal sensitive data or Remote Code Execution
by overwriting native libraries.
Recommendation
An insecure file path provider is a vulnerability in Android apps where a file path is exposed to other apps or users, which could potentially compromise sensitive data or allow unauthorized access to system resources.
To safeguard your Android app against vulnerabilities stemming from insecure file path providers, consider these recommendations:
- Avoid permissive settings like '.' in external-path declarations.
- Avoid using
root-path
. - Avoid assigning
/
as the root path - Use the
<grant-uri-permission>
tag to control access to shared files. - Prefer using
external-files-path
path type. - Use specific folders for path attributes:
For instance, here is an example file provider with external-files-path
tag and specific Download/
path attribute.
<?xml version="1.0" encoding="utf-8"?>
<paths>
<external-files-path
name="downloads"
path="Download/" />
</paths>
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_4
- OWASP_MASVS_L2:
- MSTG_PLATFORM_4
- CWE_TOP_25:
- CWE_22
- GDPR:
- ART_5
- ART_32
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_11_3
- OWASP_MASVS_v2_1:
- MASVS_PLATFORM_1
- SOC2_CONTROLS:
- CC_2_1
- CC_4_1
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5