Android security appears to be fairly poor. If Google were wise, they would start offering more financial rewards for hackers like yourself that have identified major holes. Perhaps Google will learn this lesson better when someone releases a flurry of 0day during a Month of Android Bugs style public shaming... ;)
-- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen On Jul 29, 2014 8:57 AM, <[email protected]> wrote: > Dear all, > > During summer 2012, ITekia Labs members discovered a security > vulnerability into Android Content Providers, probably already known by > others. The vulnerability allows SQL code injection into Content Providers > in spite of Google recommendation concerning ContentProvider security (cf. > http://developer.android.com/training/articles/security-tips.html). We > already alerted Google Android Security team in october 2012 without any > response. Since, we did not identify any security patch to tackle the > vulnerability. Thus, we decided to implement a proof of concept showing how > to resolve the issues related to this vulnerability. > > We identified two main strategies in order to implement secure Content > Providers : > > - Bring some features like strong prepared statement to developers and > let them implement their Content Providers with those secure features ; > - Implement a full class called SQLiteContentProvider that will manage > all database manipulations. Database creation will be the only developer > action. > > Experience shows that developer often prefers the easiest and unsecured > way. Therefore, 2nd solution seems to be more appropriated to guarantee a > decent security level. However, the 2nd solution needs deep change into > Android code Source. > More information are included inside the pdf : Content Provider Security > Patch > <http://www.itekia.com/pdf/F2014-234-ITekia-ContentProviderSecurityPatch-v1.3.pdf> > This document describes the implementation of the 1st version of > SQLiteContentProvider that is a proof of concept for secure Content > Provider. It introduces a list of improvements that should be developed in > order to implement a SQLiteContentProvider improved release. > > Before submitting any request in gerrit, we would appreciate to exchange > about the work done and suggested ideas. > > Best regards, > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
