04 September 2018

Android SQL Injection Vulnerability with exported=false

So here's the problem: when I add the widget to the homescreen, a SecurityException is immediately thrown inside the onDataSetChanged() method when I try to query the provider. This appears to be because the homescreen does not hold the permission to read my content provider.

Because of Google Play Developer Console witch refuse App Submission because of  SQL Injection Vulnerability with exported=false in AndroidManifest.xml, we need to leave that option to false.

While the context is actually correct, it is bound to the wrong process.

So we need to enclose our query in clearing Identiry Token in WidgetService.java:

// Revert back to our process' identity so we can work with our
// content provider
final long identityToken = Binder.clearCallingIdentity();

mCursor = cr.query(EntryColumns.ALL_ENTRIES_CONTENT_URI, new String[]{EntryColumns.TITLE, EntryColumns._ID, FeedData.FeedColumns.ICON}, selection.toString(), null, EntryColumns.DATE + Constants.DB_DESC);

// Restore the identity - not sure if it's needed since we're going
// to return right here, but it just *seems* cleaner
Binder.restoreCallingIdentity(identityToken);

This solves the problem, even without setting read/write permissions on the contentprovider, just using it with exported set to "false".

No comments: