edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure dynamic analysis: Improper Permissions Granting Read Access to Other Apps #13

Closed edwindwalker closed 9 months ago

edwindwalker commented 3 years ago

Finding Description

During runtime, the files listed in the Findings Evidence table were identified as world-readable. This state enables another process to open and read the file. It is possible that the world-readable permissions on the file were changed later in the runtime process, but even if this is the case, the file was world-readable to other processes during runtime. This method of world-readable permission handling can also cause the app to fail unexpectedly, including in situations where the app goes through a backup and restore cycle.

Steps to Reproduce

For applications that generate data in emulated storage, also known as the "sdcard", data can be exported from any device with Android debug bridge access (adb) or Android Studio's Device File Explorer: https://developer.android.com/studio/debug/device-file-explorer. Verify if the data's file permissions are changed during runtime in its private application file (also known as /data/data) by inspecting source code. The NowSecure automated test for this vulnerability monitors the application at runtime for calls to files stored on the device. It will flag any files that are world-readable or made world-readable by the way they are opened by the app.

Business Impact

Apps that create world readable files may have their data exposed. This can lead to user data confidentiality breaches as well as app business processes being exposed.

Remediation Resources

Recommended Fix

Applications that create world-readable files in an attempt to perform file sharing functionalities should perform this type of feature using platform APIs provided by the Android OS. It is best practice to leverage content providers or the FileProvider class for this purpose. Details and code snippets can be found at https://developer.android.com/guide/topics/providers/content-provider-creating. In addition, use of readable file locations, such as Android public storage, should be avoided as it allows other apps to potentially view files created by the app and overwrite their data. Another potential functionality that can create world-readable files are those that modify the file permissions of the Android sandbox storage. This method always leads to excessive privileges and should never be used.

Code Samples

Good Code Example (.xml)

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<application
...>
<provider
android:name="androidx.core.content.FileProvider"
android:authorities="com.example.myapp.fileprovider"
android:grantUriPermissions="true"
android:exported="false">
<meta-data
android:name="android.support.FILE_PROVIDER_PATHS"
android:resource="@xml/filepaths" />
</provider>
...
</application>
</manifest>

Additional Guidance

Risk and Regulatory Information

Severity: medium CVSS: 4.7

Application

See more detail in the NowSecure Report