Dear all, During summer 2012, ITekia Labs members discovered a security vulnerability into Android Content Providers, probably already known by others. The vulnerability allows SQL code injection into Content Providers in spite of Google recommendation concerning ContentProvider security (cf. http://developer.android.com/training/articles/security-tips.html). We already alerted Google Android Security team in october 2012 without any response. Since, we did not identify any security patch to tackle the vulnerability. Thus, we decided to implement a proof of concept showing how to resolve the issues related to this vulnerability.
We identified two main strategies in order to implement secure Content Providers : - Bring some features like strong prepared statement to developers and let them implement their Content Providers with those secure features ; - Implement a full class called SQLiteContentProvider that will manage all database manipulations. Database creation will be the only developer action. Experience shows that developer often prefers the easiest and unsecured way. Therefore, 2nd solution seems to be more appropriated to guarantee a decent security level. However, the 2nd solution needs deep change into Android code Source. More information are included inside the pdf : Content Provider Security Patch <http://www.itekia.com/pdf/F2014-234-ITekia-ContentProviderSecurityPatch-v1.3.pdf> This document describes the implementation of the 1st version of SQLiteContentProvider that is a proof of concept for secure Content Provider. It introduces a list of improvements that should be developed in order to implement a SQLiteContentProvider improved release. Before submitting any request in gerrit, we would appreciate to exchange about the work done and suggested ideas. Best regards, -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
