sql injection vulnerability with content provider
andrewger157 opened this issue · 2 comments
I made my TV app searchable but Google told me that the app has an SQL Injection vulnerability and directed me to this guide to fix it (https://support.google.com/faqs/answer/7668308).
I have tried to select "exported = false" but my app no longer appears in the TV search with this solution. Same result using "android:protectionLevel="signature"".
I have tried this solution:
In Manifest I have setted
<provider android:name=".xx.xxx.contentProvider.Provider" android:authorities="${packageName}" android:exported="true"> <path-permission android:pathPrefix="/search" android:readPermission="android.permission.GLOBAL_SEARCH" />
And in Provider I have setted:
static { sVideosContainingQueryBuilder = new SQLiteQueryBuilder(); sVideosContainingQueryBuilder.setStrict(true); sVideosContainingQueryBuilder.setProjectionMap(sColumnMap);
With this solution I have tested the app with drozer but, if the app is builded in debug mode, drozer show me:
Injection in Projection: No vulnerabilities found. Injection in Selection: No vulnerabilities found.
but when the app is builded in realese i have:
`Injection in Projection:
content://android.media.tv/program/
content://android.media.tv/preview_program/
content://android.media.tv/program
content://android.media.tv/preview_program
content://android.media.tv/recorded_program
content://android.media.tv/recorded_program/
content://android.media.tv/channel
content://android.media.tv/watch_next_program
content://android.media.tv/channel/
content://android.media.tv/watch_next_program/
Injection in Selection:
No vulnerabilities found.`
Do you have any suggestions?
Thanks
I have also tried to scan my app with drozer using the command "run scanner.provider.finduris -a com.org.testapp"
This is the result:
dz> run scanner.provider.finduris -a xx.xxx.myapp
Scanning xx.xxx.myapp...
Unable to Query content://com.facebook.orca.provider.MessengerPlatformProvider/versions
Unable to Query content://xx.xxx.myapp.firebaseinitprovider/
Unable to Query content:// Uri/
Unable to Query content://xx.xxx.playxxx
Unable to Query content:// Uri
Unable to Query content://com.google.android.gms.chimera
Unable to Query content:// or file:// uri
Able to Query content://android.media.tv/channel
Unable to Query content://com.facebook.app.FacebookContentProvider/
Able to Query content://android.media.tv/channel/
Unable to Query content://xx.xxx.myapp.FacebookInitProvider
Able to Query content://android.media.tv/preview_program/
Able to Query content://android.media.tv/program
Unable to Query content:// or file:// uri/
Unable to Query content://com.google.android.gms.chimera/
Able to Query content://android.media.tv/recorded_program/
Unable to Query content://com.facebook.katana.provider.AttributionIdProvider/
Unable to Query content://xx.xxx.myapp.firebaseinitprovider
Unable to Query content://xx.xxx.myapp.MarketingInitProvider
Able to Query content://android.media.tv/watch_next_program/
Unable to Query content://xx.xxx.playxxx/
Unable to Query content://xx.xxx.myapp.crashlyticsinitprovider/
Able to Query content://android.media.tv/program/
Unable to Query content://com.facebook.app.FacebookContentProvider
Able to Query content://android.media.tv/preview_program
Able to Query content://android.media.tv/recorded_program
Unable to Query content://com.facebook.wakizashi.provider.AttributionIdProvider/
Unable to Query content://xx.xxx.myapp.FacebookInitProvider/
Unable to Query content://com.facebook.katana.provider.AttributionIdProvider
Unable to Query content://com.facebook.wakizashi.provider.AttributionIdProvider
Unable to Query content://com.facebook.orca.provider.MessengerPlatformProvider/versions/
Unable to Query content://xx.xxx.myapp.MarketingInitProvider/
Able to Query content://android.media.tv/watch_next_program
Unable to Query content://xx.xxx.myapp.crashlyticsinitprovider
Accessible content URIs:
content://android.media.tv/program/
content://android.media.tv/preview_program/
content://android.media.tv/program
content://android.media.tv/preview_program
content://android.media.tv/recorded_program
content://android.media.tv/recorded_program/
content://android.media.tv/channel
content://android.media.tv/watch_next_program
content://android.media.tv/channel/
content://android.media.tv/watch_next_program/
Hey @andrewger157, this was accidentally introduced into the sample. @dmalykhanov-github submitted a fix for this.
6c22e5a