The Content Provider API allows third party applications installed in the device to retrieve data stored by the application. Access to this data must not be allowed to all applications by default. Instead, (and only if required) specific allow-lists must be used.
Leak application information to all applications installed in the device through the Content Provider API.
- Deny access to all Content Providers with: android:exported=false and android:grantUriPermissions=false. If required you can allow specific Content Providers by using grant-uri-permission. - If the attribute android:grantUriPermissions=true is required, establish a custom permission using the permission tag with a Signature protection level.
Unauthorized local attacker owner of a third party application installed in the device.
⌚ 30 minutes.
Default score using CVSS 3.1. It may change depending on the context of the src.
Default score using CVSS 4.0. It may change depending on the context of the src.
Ideally, there should be no access allowed to third party content providers
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:sharedUserId="android.uid.system" android:versionCode="4" android:versionName="1.0" package="com.android.zerosms"> <uses-permission android:name="android.permission.SEND_SMS"/> <application android:label="@7F040001" android:icon="@7F020002"> <provider android:authorities="com.andriod.databasetest.contentprovider" android:name=".db.ContentProviderDb" android:exported="false" android:grantUriPermissions="false"> </provider> </application>
</manifest>
The application allows external content providers with an export and Uri permissions set to true
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:sharedUserId="android.uid.system" android:versionCode="4" android:versionName="1.0" package="com.android.zerosms"> <uses-permission android:name="android.permission.SEND_SMS"/> <application android:label="@7F040001" android:icon="@7F020002"> <provider android:authorities="com.andriod.databasetest.contentprovider" android:name=".db.ContentProviderDb" android:exported="true" android:grantUriPermissions="true"> </provider> </application></manifest>