星空网 > 软件开发 > 操作系统

Android安全开发之Provider组件安全

Android安全开发之Provider组件安全

作者:伊樵、呆狐@阿里聚安全

 

1 Content Provider组件简介

Content Provider组件是Android应用的重要组件之一,管理对数据的访问,主要用于不同的应用程序之间实现数据共享的功能。Content Provider的数据源不止包括SQLite数据库,还可以是文件数据。通过将数据储存层和应用层分离,Content Provider为各种数据源提供了一个通用的接口。

 

Android安全开发之Provider组件安全images/loading.gif' data-original="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAlgAAAEpCAYAAABP8FwlAAAgAElEQVR4AeydB5RdR33/v/e+/rZX7a6KJdtyk7HBxgaDQw0dQkISkhCSkEIa5ITkkJzUE04K4SQ5KSed9ELanxYgNAM22MY2LrIsY1nClmTJatvb6+1/PnPfb/fuenffSquVVtIb6e59d+7Mb+bOfH9lfjN3rler1Wpqhou2BQqFgjzPk+/7ikajorvtsPiL9uFX8WC5XE6xWMy1DclLpZIqlYq7jkQirq1mZmaUSqVcXLFYdGna2trcPdqwGTZ2C4yPj6u7u9v11+zsrOOHdDqtcrns+rRarYoDvoBPOOj7SylYG3AmmGyw8+TkpDo7Ox1v0DYTExPq6uq6lJrovDwr7d7e3u4wSQXy+byTV/SLHeelYhukUPBKO8C7yG7TcchwrltaWtx9qosuJCQSCXcmL7y+niG6nsSbtM9/C8CQMCgghFnj8bgzFqjZyMiIOjo61rWSjRQVjLCeoVH5GE4E2okA88GkKF8YkvaCCTljXBFaW1vdfdIkk0kX1/yzMVsAwUvfEWxgQR+bEQVfgBGuuY/Qtb7ntwnj5Z6uEX4b4a9R/uXKXW18o/IZYJAGzNs5TJv2sWBtQzrjG7vXPK9PC5h8ZpAHRml35BJY5TdGxFpCI/w1wk+jstdKv1F++BO9Bk4ZAIBR2oRBM3zPb9oNfJvxRduRnvj1Dk0Da71b+DzTB2hmKABABOpTTz2l0dFRVzOMr0s5ZLNZp1hgZBQrzIdQGxoamhuhm5ChHRkREWBcU9yXcvtt9GenX1FE1rf0GYIVPpienna8gOAlPuzJJB/C+lwI4fPZhrSLGVYoHZ4bnHOA8csvv1ybNm1ybch9+INwsbfL+eyTcNkYVuASjyvtjzf26NGjc4ZD09ANPFPmme7t7dWOHTtcE5psB7Ng3DALrmlL2nW9Q9PAWu8WPs/0YUy8MygUhOexY8d06NAhV6vLLrts3T1YKKmVgoF+pTRrudeofAQUXigYbmpqSqdOndLJkyddm2FMXXPNNU64MSVCOuqbyWScgGsKt7X0zLnJi/EEBhC2GFH0If188OBBN83FCJi+Jx2/OcygpobwzEqhEX4b4a9R/pXKXs291ZTP8xNIi5eWZzZv7f79+x3WmQ6kbWhDmyZHQVne1dSlmeb0W8AGBMPDw052Y2DRDwwC8aRzfy2hEf4a4adR2Wul3yg/fI2cBotjY2PuQC5jaIFN+B2DCiPLaJ1LzHrNNViNIHJh34dBABQeq4cfftiNTHft2uVGpgAPZl3PYCPe5cpYb7A3Kt/qhVJByRJg1KefflqHDx/WjTfeqKuvvtqNHFl3RRoMsMHBQcvaPG/wFsAbQ6DvMA7w4NKHGA033HCD4w+EL4fhEdxw2PVyj9jofiP8Ncq/XLmrjW9Uvj1juB7IDDxbnL/5zW+6dkBRbd682bUZ7Qm/oMjC+VZbp2a602uBb33rW864wojYvn27Mx5sEGDn06M4n7pR/zXCzzylpX+tlX6j/JSK9wpjk/DMM8/osccecwboS17yEsfzYJUDWrQhv+25TOYvXfu1xzYNrLW34YangHGFUsGLhdcKtz8BAYqRtZ6h0QjLRsrrVYdG5eOCNyWDwoABuSae0SJG6Xd/93e7tjOPFR5BFE5zoe969drZo4u3ESHKQALDAD44ceKEtmzZ4gxnE+D0OfzAmcNCIwHcCL+N8Ncov9XjTM+Nyjf+px04zMi0duE+gw08KHgKbrrpJpfOplzhl2ZYvxY4fvy4Dhw44Lyqt912m8My+DTPTRirZ1KLRvhrhJ9GZa6V/mryo9cwNDkwnuBxZDdtQ5uZUQV/kwaMcw9sr/X5Gj1/c4qwUQtd4PcBEoBjWuSFL3yhenp6nCLBS8P0IYbCegYT1MuV0UiBLZdvtfGNymcNGoxHgDlZlwMDMiLCY7Vv3z49+uijwutHOpS0tZkZXKutSzPduW8B+swEKothmQKmzxlogI3FBgZxpOdYTWiE30b4a5R/NXVYKU2j8hcbSLQXhylu7vf19bl2QtnThkxPoahQ8ovzr1SX5r3TbwEMW2S29QFtjoyytbON+rdRiY3wd77pN6ofxhV6jIEUxhhy+7rrrnM4/fKXv+wGUwMDAw6n4Jo0Jr+5Xu/QNLDWu4XPM31Gmow8URgwC0YEAZARv96B8lcKjRhopbyrudeofNrEFApKA6OKYMz4vOc9T/fcc49bOGn3aEOmD6+88srVVKGZ5jy2AH2GUMWQYpDBedu2bW56C88u2zeAAVMkhgXz0Fj8co/QCL+N8Nco/3Llrja+UflgGdlgI3vOGFd2oNB5OQZDCs8fbx4TmF5drRG62ro20z23BZAzt956q/r7+51Mon8wrugfvDRmaD035+piGuGvEX4albJW+o3yUz5tgS6Dz6kvuATXyGeWAoBfPFXwsj0Pv88FfpsGViOEXAT3EYqM2AEZDAr4UDycuV4poJAQrmE37B133OFGVdBlETjrkZgHZ6RFMC8PZ6ZmKIdpNUYaMAPxeH/IQxxlAHhjAmMUrkmP0rO1YlxDD8ajTpxhFEtHXaHFNfRhPFOapLPntfRcW1y4HSyeOjACoo6US72pX9O4CrfWxv1NP9OH9B+jXDCKUgITLIQ1bHC2YMKXM0YY6Qj0u+HN+MLyLHdejYJYLu/ZiG9U/lL3eW4OAvwJ7uEr+MCmx40XzkYdL2Ua4A65ZLISA4A4MIu3FTltMoc+IJ62Rz7hrVmq/xa3J+k5yGvLGpjBYHCBDIV+uB7Uh7KsrxfTO5vXq6n/SuXhKACr8Ka1DbwJz3JmUIAOQA7wXLQZbUy5S8n9lco6k3tNA+tMWu0CywOQAB9nMywAmwnRlR6HdDAnDAgjfuITn9BP/MRPOGUFSN/2trfpz/7sz5wLGwVmXjFok8/WChBv5XHmMODDJNSLtMRTDvUlEI8QwPvA1AT3uSaYR8ldSC4eoUCdoW33uSbYs/ObuNUwGPVA2JCWso0OtDiMtrvR/LPhWgAMmjClL8Gx8QH37Dd9S39asP5FUJMOYU0c+GJgYdMOlv5iP4f5pYn5c9fbDCxNdoflDzUI43W5GpncBOcYVWCZA+OKwYNtFmu0SAePcG3enuVoN+Mbt8DqFho0ptNMsUFbAEbBQMCIsdECDERYjaBEoTA6gAb5nnzySeeahvkwdP793//dLcKkHOiZ0oI+5XFNPtKydoCAwCA9dKHDgfAwYUIa7nEQj8HFSJpRHoF0CAIL1JF7lM89G9VwH8VoQoVySEtdOKDfKECL+vIs4fai/hzNsLFbwJQFfUc/gg/jA3BBAGMcpOEcDhj9YOiuu+5yOD9y5IiuuOIKZ8A/++yz4aQX5W8wTpvAb7QbB7+Ja+J//bsc2WeYNWya7LHrlWrBoBRZx+AX/LNNz5e+9CX3th3rukymgXGC9S2/V0N/pbKb96SmB+siRwHMiHEUNkpM6ayGgcy4wDjhFVgWDrLxINOCLHgl7otf/KJ7fZh4AkwKU5twIM6Egt3nbEoP5sfwwX1L4A0+6shUDr/xRPEMGGgm6DlTJ+iiKLlPXS2Qn+ejDFOc5CHd6QTyhGlYXmhTdjNs7BYIY5x+pM8szvrQrnkSfls81xj2H//4x/X2t7/dYQdD/i//8i/1/d///e5NxI399GuvnWGctjPDlN+EcFuuvaQmhaVaIGzQItMsgFHrB4tb6oz8ROaxXIL1XG94wxvcNCGy9h//8R/1pje9yWEcWcpBecYDDC6bYW0t0PRgra39LojcZpScSWVNiKJYWHv1la98xY3er732Wjdlh/HzP//zP3OLX2FkghlxGFoEpuwYTWEM4arGM2CeJQQFzE1ejC3yYizB6OZloB7EUQ/um+GDF8oMJ2jY9grQIT/3yMsIjbRGz1VqFX/sOaDBQTABtBoBt4oimknWsQXoI/qLQF9yEAwbhkHrW3cz1Me8xfWxj33M4YbF8Simj3zkI3rwwQct6UV/NrwvPl/0D74BHtDkjskhqmR4RrY1CshnMI5x9Tu/8zvOuHrZy17mBtz/9m//Nie3MayQn+GwGvrh9M3fz22BpoH13Da5qGJMocCoMFpYSK7mQW0aDQOFRZfQYbO7F7/4xXrjG9/oDKXHH3/cuZ4pC68WAYOK8lBweJ5YC0AgDsbFMwAt6DJS4k0P8hCP5wrvF/SIhyaGmk3XIQjIC23SE8816cnH+gJbf0WZpLORGeXhLcNQs2dzFVvmj9GFNr/DwQRdOK75e2O1gPURfQf2OPhtfMBvO8I1p79Jyx5QTKkYDsHmfffd5xbPLlZI4fwX02/ahxBuJ4u7mJ5zIz6LYdbkj+GZuoZ/L1d38iEj2fcNHJOH7TYY5H7mM59x29CAY2Qo9+hX8piMXY5uM351LXARTBHOu01X98iLU138NiZMA6PCNLiLMXBgJhgJ42OlwIiddCzs/drXvuYMla1bt7oNB/kmFrSgzdTh85//fGckUY7FMzWJUWNTcw899JBjbkZReLQwdhhdYbzhfYIWnioUGlOO7B5NQEgQMIwwxKCJN41w/fXXz03XsMaA15d5WwbDDHp4HnjrjzfIqIcpikbPDm3aiYNg+Tg3w4XRAoZx68dwHy6+Z31svMJ9PFV4sV796lc77IEtDt5OYo80tvG4FAJtwUHgbDxxKTz7+XzGsKyxNrc4cIqcXSkgi9mq4B/+4R+czGRqmzhkHxuY3n///U6Wsw0EcZRhZ/q5Ef2Vym7ek1bWrk2lcsFjBGaEUWBGDoIZFiYwV3pI0uB9YnE7IyCYk92cb7/9drcT9lVXXeW8Rtyzz49g2Jgiw0vEbwwtFgV/4AMf0Lve9S7967/+q0vPJqi4rt/85jfrLW95i1sTgDL7uZ/7OTclicFkTA4t3nxBCOAV+/CHP+zy/Md//IczpqD1e7/3e3rd617nFOL3fM/3uLUyv/Vbv6X/+7//c+vF8IRBBwONo1GgrLBgs+eyc6P8zfvntwXAPH1FMMVBf4JrGwhYPGksHmyAEz67QXqmxN///ve7QQH3WHeIsX+pBNqQtuGw9rxUnv18P6fJIJND1Mf6olHdwDBvCn796193eRhoMkDGo8Wgde/evU6mQsfoI285TE80KqN5f/kWiFZrjMwlz6/Jc//ovfkRuletv1Xj1xNyJokCZV3WwkXDXj1rPZmjTXqL57zAAWA+NK8q1UL2HtcEi1t8HdyV55mSPF1PVlCW763uW3zUOah3MHozMJbc81YlV7+qfKuvs12pE/dIFNTPc/eJo97EhUcgvoLmqzdKze75qj7HFg7oxbxQm9XbJHxiaoxAfTFyCDbygYFgVGMkmBHhGU7HfRj0v//7v106jCum4EiHR4jPyPz2b/+2eLvqzjvv1NDQkNuywfYPYi0UXjCUGZ4n2w2aqRcMow9+8INOUZGO3dK5j+JiZMVUDMbXD/3QDzkjDs8Bi+spG88Xyo9nwd3913/91/qTP/kT52nD8/X6179eX/jCF9zzsRM7v//mb/5Gr3nNa5yAsSlD1yAr/KEsDgJtaMrY+n+FrM1bG6AFDMv0IX1m/EDV7DfGOlPKrAtkqoSDewwa/umf/sk9BZs98tbVu9/9bodLFBaDDgYYhm88rxhfVo5tOwKOSUddmMJGeYFbvjEH3vlNnle84hVzL3rgNQPH3KPu1AevLAMOrqFn9eeausAP8CT15BnY0Rq+C6ejHKsj+cyzvFxXkZ4A7m2gYzywXJ5m/NlrAWtrzvQXgT6xa2Q2uKOfLZ7+tTiMqE9/+tMOs+TlM2nggm1GkNef+tSn3OB2586dczgBc2AGGcusAt4teIQ1uN/2bd/m9phi9oKZAT4GDqYx1MA3eAKb5IEGdeEMdpmxIIAjtvtB3pOO2QrKYWAOP1AW+gGeYwYDPoCXyMdz0Q48K3qC65WCtR/prf3sjG4zTK9EYy33nPZd9Gby0vTo3FAl5QVTJpwtmBFl13a2eJIGEAEl4QtLeSZnq8DKhsbSlC3v0ndXH0vZi40rcgfxAR2rH2Xy284Wb6XVr2tWNz8wMu3Skq3DGbABOmNWgEjcI488om984xsO1C9/+cvdB3Ipns1LmSJBmMNAfBjWFBprVciPUUXgN0YUTAlzMqX4xBNPOPq//Mu/7JQCa7tgyLvvvtstnMegwgCDgX/xF39xbsNPhAp1hPkw7L761a+KqUeY6H3ve59jcJTML/zCL7jX63//93/fjdh+9md/1nnOEC5MScLcjRh0HZq5SXIDtQCCG4yCHbAOrhD0GFxgC35gQIGSADdg1159B6d4W8E8wh7lQjrwCS34Au/vL/3SLznD/8///M/11re+1WGfAcvf/d3fOWzTHCiC97znPU75/ciP/IiLpy7QQ+HBFyidH/3RH3V1ZECBAmJ6nXxsI0GdwTPPQ73e8Y53uM9jocDgP14iIQ00eV5oNsOF3QJgBNyZsUC/chDAIDJ0z549zkDho/XIWOTejh073H2wwBpaZDO4gR7yFuPKBgTg+dChQw5nGPDMHPAh5c997nNuHRdYBL/wCWUzQ3HzzTe7QS51Iw59QH0YODCw+Pmf/3mnP5DNLC357Gc/6wxBBjU2qACzP/iDP+iMwp/5mZ9x2KZe1A86PAfPvZGD+Y+Wr2Pdc+QMI2dkWVJfVa8mr7b4AX2Z94qUHiaVGQeBjSbfrCtc9XMWlxkWRp8zxoVdc79eFnF1moFHiDSL62H5ljrPGzVz5F1B8zTm6dYLqlWDImkPMtW9S8GzUMY8zfm89fj5QoLKOBpY3pQ3n4+beBHnvHahe+E2DYjU81nbBpGn/RcQA1KYAAbgbIIX5iPAoEy/cY/RDyMKDBTOXLPgnfVQeIlgrltuucXRYt0WDAl9GA3G4WC0AlOjDDB6eFUY1zWbOsLMfDMRJYb3imum93i9mJERAoB81BWaMDbGH2emFfGo4UXD04WCgxbnP/3TP3X1YMSGkYhxxvM0w6XdAoZ7jA8UDPyAQcJ09l/91V85xcAHY1FMKCUEPJ4mRv8PPPCAG3GjPMwIApvwD3TBJ95TvEsYcgcPHhQK5dd//dedoYMCgx54ZXr9D/7gD5zxAx+Ad5QeHgiwjgFHveAbAoOT3bt3u4EHZeJlxpgzT8BHP/pR5337z//8T337t3/7gt3oSc9zUr9muLBbICzDkIEEsIjspo8xZvA88ZvBMINisAwemY1AtjNQwIDCADMDi6UU4BP5i0cJmsh88t17771uMP1TP/VTDp/IV3DMrAVY/du//VuHXTxn4BhMYthTB/DMmYGKGW7ojg996EOu7vbWOXoD45AtUfCu8cUQvGemk+z5NnrvzRlYTrHXa4vzxLxOc/N5IWXE/cq85bPgGZnMckaDV5UzNJwRRsczLYY5wv16Aa4gy2757JpzkCeI4X49OL1Yv14wJWcJQmdnzCw0Yubv+nVDDQsoRH8+wYJfAAPrKgxqEtBWNWc21p+BSJK6ei5R9tw0YdiYWlBUyPAK8lt/WN8saLrFWU/jmmfigDl5Ls52DbOwEJJRBYDGwIFBMazwWBGIe+lLX+q+18f0BQwNI6OsoAVjwpQYTMTBtNBHIeC5euc73+kMJoQ+aakDAgBDCSWB4kGZoFgYIdmoirJhRhQP6wlIDz2UG8xJGdQR5v+N3/gNN32IV4tRFyN7lBoMDr1muHRbgNEwAwCwh5LgmsB0GwfTfwwiMMjBFNhiQPG///u/DpMY93hlbfQPjuEVcMyBQiEPOCMPNKHzXd/1XU5hsB6GOLxl//Iv/+KUGd5asI5hB8ZJbwML8MzgAeX1+c9/3ik0PGQoIMqF53g7jIEE5fOVBcpnapw68ozE87zQaoYLuwXoQ/qTwBmsgGfO9DVez4cfftjhD68SGOA+U4UMFHiJA/nKLAXrDKFHXqMLnjHsoQO+GAizuTQGEuE7v/M7HR0GBaTFKws2KYO1r2AV3jEDC3zCE9BnYMKggpdFwOOv/dqvOZ7gBRLkPvFskcI0pOH4BS94geMF9AfPt9Hl95yB5VqrPpVjv5c612rOJ+Wsh6ozK4JUgWFVz+Hsp8Bg8TCwVFNNGFzcx2iioPr9OcMmZJw4MsH9eQ/P4uugLK/2nEeoVyJ0mjPCQnH209XJjCEro35NvsCmcs/gjEPqTTwPA7DnsmBlIVSNcN3ICl3OP0s9cqV6Lcg3fwH452xb6uaHC5xPt9pfZlDBEASuYSSMKwJeKAQ58TAkgh9mID3GDEyFQUQgjtEIIyPzSFFfmADmhwZMxTWGGoqK/Lh6MXYwiGBUY3CmSn7lV37F1QUFY1Md3IeeCYFXvepVbtE99DG2CIymUCzUFbrvfe973QJ4Ru0oM56Lspqh2QJgBAUAThhtg0nWAKKMwAhCHUWBQAf/r3zlK12jkY/BBx5RjHfuh/FOIvDGdAa8gqcAYwxPK4oJmgxW8IyhVCibPeUY1PDGLsYXisT4BsxSBvXEKwE/sP4RDzDlUgcMQqYy8WZBg+fA0wWv8YzwHvWGx42Pmgi4cFsgbFTxFMhgZDeYAQMMADDSGQRjsGPcIGuRnUwxg3G8t3hjGaSCKZsuhBYYgRaYQQaDPaalwS0bld5www3OMOM+2CMtgZdAMN7A6Y//+I+7/NzjoDzoMivCgIYpQgYczHzceOONbjBA2RhWlIkXFh3ES1DoFfIYfjd6z7nWWGAULFNjGgSDiqNSw9RAsS/hnXH5zeqYn1abM664XwsWyAfWCWk5sBYs3zKVmKNteVaR/rSNGLO46nWYu1yiLBR93QKb8zDNPdtKz8A92i58LEpfn5q1NqH9Oayc507NLsq/ykszfEgOmI1BiYfREPy4amEephr4TAhMAoOiiAjf+73f6/bE4je7XjO9ApPDSNA0rwBGD0qCfNCBJgKf5yLOjCuuGfUwooIOzIt7GsEAY1kdyUNdUF4YeRhUpOE+tHkGY0TeeoQu8dwPP7d7iOafS7IFwBaYAUcYT2CK0TlrQsDvi170Iif0MZRIx5nFuXgDUEYoMBQFdLjHmQOsgUuwhpeVwBQMb7ayrgRso6Qw9lEabFvCdAr8greX0TsKBgUIVqEHLfDMlA288od/+IduChxvLAMW6s49FCnfC2UtGQEPBbSoB7RIBx2epxku7BYwnHE2jNC/BAwh5DEBIwZDHgMLjBHwemIggX28XMw+cA/8EvgNhtEDBOgiw+EJvKYYbeQHS+CKAQKDD2YIMOrAKIvfwRlynDSkhSb6g/oyGCA9A2nWdcETpOUgDYMHK5vpTL4cQjweLp5lowffzXotqiUN4RZSeVVV6wdTUgTeZsOswHTC0LJA/HPfdAtyOCPBr6nmjAY8WHh/qkEZc0bGPC2jufx5BcNk+UxndIdHxKg0ANvZTZ3WfPlebcHB25iBUcRzloPn9Kru2Xn+1R6OBm1UbzPnCVxUFmWvNcBM9DdMxm8zPmACjBre9OMezMJ9GIw3PRhJM0JCeMN4jJAxcGBGmIA4BDrTgwRTDgh9GBFPFoYXZ9LDhNQDBUHZGEKkRcEw8kbpwVRz7V+fIqQc1g8YY+ItYJQFbepHPakXLm6YFqUJLcqinGa4tFsAbIMxsAAmwCNTdghzAooJ/IFrsGZ4ZrQPvpgWZ52VbSdiBhW0+I13FqXCbxQa+VhTYgYbHioCComtSjDc4AHWuYBpAuVQLlgmUA+MKBQcyg6FA33OhmviWVBPWtZ+wbOUyfNaMEVq183zhdcC9CF9CsYI1qdgCAwz2MVgZ69AwwdnAoNYjHryIx/xYvFGNoYL/ABeGABzBn/IaPiAN7TZTwu+oFzyIq85yM+yEeiiKxhAYLgh85HL1IvywTTYZ5aCGQjjG+oPDerEwIOBCDMi5OFZoEHgPrpgo4dVzK+FZ6R8VfFeuTcIg0ersa4q9Jz4eWBht0aI6TSPqabA++NMKP6E0vMziJpb+r7K63q++lovDBfWfJ3uOXiKsHFX/73I84XxiAlZ9YJF/ME1ucOfF+DJeWbi5z1eZofi/1vo9ZsXdkE9gnxBe2CH1mnM0WPK0mgY/aVozFNr9ItRCkyCYA4DFmEOg3zyk590YIZ5WGzO23+AG8bDWCGewDQEBgyBdIxkUCgWYFC8TDAfo37oo5S4ZiqEvDAPTIdhBkNSLxgSTwEMD+PD7OS1kRiKCSWGl436MwVjRhjKkufjmqlDmBhaGG7EoXya4dJuAXCDAQ72wBFG/D333OMaBY8tL0kQDybBEwoALL7tbW9za0ZIiKcALIM9+AhFhNFGsLUr/MZrCw+AXwYA8BEHuASnYJlRPAoJhYLXiTxM/YXTwQMYYuQxBQuvMgiijtCDb5huYd0Xz0SdoUEeeJF0xq+uos0/F2wLmHGFTAMPHOCZlyvAIYNfDCyT8+DAAvfALHhhnSvT3eDd8AReCGAOWhhY5AdPeE2R0xhBpMfgwmgDu3i2mNYjQBs9YTqGdARocODFgj7x0EavwJPwHNjHu8sgBqOMAL6Jh18oayMHf/H0II0wFzxP2VzOMaLz5ODYikjZXNHZCbwBWKlJxVJFk1MzzrDwPF+lCqaEr5lM1q3SyuX4fhyWVMQdmWxOlWolSO9HXZznR5UvlFwBLBjP5PIiLpsvuPt4zLK5giuPeI6p6VllcrOamplUuVpye3PlCtnAyIpI+WJOpUrRbTVlafDMkZaDtBOTM8rjKq/XLXiOiEqVsgqlsjMUeXY/GtHw6LgzMGteRIVSQHd6dlqK4NGranp2SpVaxdVjNjsrz/dUKFF/KZunXrwcUNZMdlo1r6ZStaQKrwt4NY1OjNZ/SxNTEw6M0MRanc3OKJ9nsWtF45PjzvOXydDeIUt1rtNO7wcAReADWgwOmJBrAM96KpgWowQD6p//+Z/dvDtvV/3FX/yF2x2YvaeYi+c1cZia/CwkZ8sGrmFAAszJdCPMRhoYC0Y2ZiUN5TOFSNngECXEmfrg3obZqQ+BM9coCu5DnziYjgB9aBOHwDnfJuQAACAASURBVOH5UCgoVBbhowQtrcvQ/HNJtgCCHHwwygcPjJ5ZqIuhb4Y98WATIwqvLvgFez/8wz/sBDx7ZeFFNb5h8AEdzighFAX4BHMY9+AaHIJtsA4uzWuA4YSyQpGRD/7EK0ugTiaf8cKikMgLxpne5B6HGU7QJlAX0nKm7maE2X2XaJk/RtPKJRnlwU8czXB+WwDMEcAK/QLOwDNeS/b9A0cY9YYJcAe+wBSYY1CAUU/gLXBmE5CdGDCGZwxysAJuwAHXhkVwBaa5B49gBEHXDB+Me+hYPaFNegL8QL04E5DXYAqe4VlMd4BtAoMVjC/SwX+Us9GD82Chs8J2VbjSWJ4YN+VqRaVyVVU/qlgirplMVYV8SROjx3T1zsvV2t6mbL6qbG5WUc9XV2erovG0MvmCYpGESpWqyoXgra1UGq9HVeVKVZlC1jUYwqgWibqyZrNZHT9+wlmxCKMq64GyBaXTwahwJpdXOpVUqq1d8QgOMTp9Vi3phOJ+wnnY8PRUfSmTmVVXV0LtnR1igT6GTyQSUyqZUDSWUCIdPHsmG4AglU45ozAaQzmjqOsbuLEWSJ6idaFVK1WVyRTU1h7UCYAnUrjofeXyeUWiMZVYl5FIajaXUTKVkjO9vJriLSlNZmfUmm5XGSO1XFZbV7fzhUVUU3tntwqV4HMGuWxOba1t7jUBwFmsGxlJwHUWXKSAG2aAEWEiAI4RhMJgwS0gZgSBN4opC5gIZiEPjAzYYTamIJhaYYd2mIaNGNlRHfxYOhiT8hDyMDlMhBFm048IB3BgAZowNOXByNSNa+qAsUZ6M5Iog5EQ+WknyuKZUJLkYXTGs5iBh0KlHs1wabcAQhxsgUtkDRjmbEoKDxAL2QlgBgyCOfCF58p4gekY8A72wacZLygT8Ec8hwXKoEwOeAEPK6N/vFcE8lMGWIY/KJO6wjMoF+JIA/+RhnrBk+QB59SVRfTwn8Vzj9/Gu5bH6tQ8X3gtQP+CIeQeOgiMgRH2BQTDeEAxmhgEgAnSIxfJA34wWBg4cI/pPKYJmVXgMEOGe9BG5oId3kDEcCIe/CNjGRhjlIE9W2dLPaABzigPviAYbrkPHyCH+U2wMokD45SD0UY8aZHfDHLgKcri2Mghav4qO89PbQWjE4yr2dmM0q2tikY9ZwRMTpf0uTu+7AyWmFfVM4ePu47CVXjNNZepWKgpW+DtsagqVV4dZo1BUfFYynl1ioVg4ZxTqMm064BK1RPH1HTGKesHH3zIddiuXdcpniBfzHmC6Ac/EnOTbZ7va2xyQl2dXfKjcbe3fDbPKHFaQ0MDiiej8iIRzWRywuPT17fJpcMTFnXbApRVq/pOKHV0tKpS853xmMmXXEcyuvVjbPRX0+RMVl9/IHglG0HY090rL1JTsZRRNjujRDztDDafKdNoRTOzs0qlPcUjUcVSLW5bi2K5pEqNhapxRZItKrK1g+drmOmJ3sBK531LwvDIuHv+ZLpD2WLB7bSfjCXV1z/gJlVHx0fU19PvpmPXAjAzrBDSgBXg4lniDRCMLIQyIyDm1JkThzlIC6Mh9O03DM7eQP/1X//l7uEeZn4dZoTBGOHA/DAkzMoIC4bmDS2YyxQD92EkymEzRvJCG+Y1BoXZEAyko3wYjkXBLCImQJ975CM/Uy18Od6elfzk40w5zXDptgA4sIAg540lwwYKhQEDOAejYBBsIeRRVPzmTOANwe/7vu9zeEfxwEdgjzMKiIEEhpEpCWQf+DNMo1AYUHBNHjANz6CskDfwh+HV6gxN6JgChCe4JsC7eKwoEz4gLwMh43Gex8p2GZp/LtgWAAcMfulrAkY9b/FhYIEj1i6BVXDFYAI5yD2wAK7ABboOXCMrMeS5j7cLumAHDJEfuc99PGAYYRhOYBr8gnfOYJAy4A3ygTPwRv0sjV1TL2jAYwRoEcc1+eyachkwgHXoGs6ht5HDikN4lD0GzUwmo1Rrm0pVOe9QVRE9vHuvurp6tOuqa3RyZErfePB+HT0xrN6+71dPL5vtSQVm0ZyHiek6vDlxN8Xnx2MqZ3x5KDe3E4Lv0qZSUUWTUXWVBhVPdSjV2q2RiRkNbZUi5MH28PgdEZ+owShs6ehyRl+x6qtarjljZlO6RcWqFGE3hVhcES+mSLkaeIgSSSUjCVV9T0W8U/KUamtVxZOiybgrw4vGFGXBaCQwNyue5wysBx7ardGJafmRuPr6ecXf0+TYjPp6N6lW8wNvVA0LPa2e7rSms3mVchUlUwmVmKKKxlWtVZV32xsk3DOwy0JHT5+bPmTKlQOrt7t3UBiQPGe54isiX6Wqr4jvK58vKl+oOENzreCC4WAcDA3OgBtGYB2VKRIMLIwXW4uCgAfkHDAf1zAAxhJrr2xvFXZYRzmQDoaCPgzDb0ZNTMUwSmEhMfEYYNQDBmYfH5QWeXhrC+WGwoHxKZP01BOGZqH93//937v7rCGAMc24ggEZldnU42tf+1q3HgG3M/Vohku7BUz4gxPWebDGEB5gkTgeUfAL1sAd+EQhccZowgBjKpw1Wygm9hKydVjQAKdgH8PN8A+fQA+MQ4N4lAVn6DENwn1wjzKxAQA4J44zdbGpGOMt4u1ZSEfZ4J4BCzRMgXGPgFKjTKN/aaPgwn5661P6kj7FWw8WwQAL0jGSMKa4B845+I1RhVGPHGVdLPEMknnLlcE0Bg1xGEukZ60sHiUMd4wrygWjYBEjDQMfDEKPtbvcR79wmIEGPQL0CPAA9TBjjzzgH51CGry7bFsCbbAO71leo+UIbdA/0fkV5/M+LOpqnhQ8MnQUgempTL4qz8eybNF1u67Xzh1Xa2ioQ7F4yr3qedc99+vlL3+ZWtLSkSMnlUzGddnWbtX8uCYmCxofH9MVVwwp3dquUkX65uNHndCgAVHkfX0xdXW1qqtrs4aGdqimkvPpHDo87jojl8s4xY+RsW3rdnV3e8rma2ptienJ/Uddx9DZeEduvvlGN43HFGE83qpDh046a55O3bnzShWLNbV3eHrm8LCq1ZoTbtdfv0s9vR1qbWtxXrJ8IRiFJtMtikSTam3rUjSedPdmZwvq6NqkctXXyZMTevrgYZXLFXX39mrT4IC6epI6NZLToaPH1DeAgRAXLwXkShEdOTmmvr4elQtVdXT4Ojac14njzzoLa2jzgDZvatNsRirksooxdVop6Kn9B9TR0abrrr1CQ5u3qViS4mt0wCCYYSCEPIIbgcyIh2kRAIyiwTNJmxLAggllmADGgKEAPUbQd3zHdzgcQA860IS5GEnRx9CBCaGBEUcZP/mTP+n22IIG9Nmo7ld/9VfduhLq98Y3vtHRhsFQDKTBMIMe5XOGFvGUg1ChTIQBrymzSR2jPOJ4HgxFFBwB5m+GS7cFwAQYxXBiWgX8gzPe9rOtGFAiYJ10nMEvSoCpF9YpMpBgMMK0OJ5eAnQMW2CcPGATTIJdUyAoJ+6RBkWDp5XpQg54BJ4igG1wbgYT05PwC/yBrIMmaVjYjCLkN3WDNsqQ+6Q3TxiKzPjYFdD8c8G2APg0jGH80O/m1WKvK7aoAU9gx/ADFggMIsAxZ/vwM+ttGSxDF8yZJ5VBKvIXzxbYAfPcw2NGWgYPGPIYeAx64SNwhy4Ah2ASHuIgYCxRJnxBGvQIchlMw1+kYwDDoAO8Uhb8yj3qD+9Q7kYOS3qwXOPX7S0Wo/PwxWpFEZ9RkpQvsbC9rFKRqcCqylWpb3CrdlyRUWt7t3KFqsYmpvX1+x5ST0+ntmy53S1e3/PYY3pk90Pucyo02N1f/ZqGx3MaGhzU+MSEal5c2WK/2yZr775vqVKL6tbbdun4ybI+f8ddunrnNSqUsxo5NazDzxzVi255sZ5/09XuA8u5UlQPPrRXs7lZ9XX36djJY/IjaV17/U49eyyrBx56QJVixXm/Dj9zUuPTWV11xVU69OwRPfLgw2pt79ToqVFV/Yibrtt+xWVKxCLODebXPGdAsrg9zlsLXtR5vJjuY0H+0WfHtPuRxzQ2MeOAt/uxA2prb9fLX/UqFSpV/cu/f0xvecubdO2uKxRNSM88O6aPfeLTesc73qlSvqBH957S3r17tGP7dtXKJX39vkf08m+7Xbuu3axjz2b1xN7HFY14Gj7FurQuxWJJbdu2WdH5JR1rwhhMRB8DeAKjGXv7Cc8Vgh9MmFIgDdcwAExGMODzSi2MgtHGaIhvouE1gmlgShiI+7zVAqMwtccmc2xGxzovmJMNEhlZwfQswERpUQcwgyDhDMNCh/IpE9rs5YKye/vb3+7WHjD6YcE905F4FqDPBo82legq3vxzSbcAuATXKA+2RoAHwAq7t/MGITgDbygO8ErAOwXe8YKisMApSgIDDcMHrxd5UCjgFV6BLvyAwcSXBfAqcM+8WPAg33SDNjTYssGmfagfAwlTLCg56kp6vk3IAIiyCGAc3mWBMwqIwKJhBhUYfNSFupmScwmafy7YFqAfwShnMAB2kIH0MXIOHHMGq2AYOUk6DgwjrsE7Xiv2VQNjeGR5SxaDiYMABikHfDKNjmHDt17BIvgy/mDqkN3XoUtgSxJwB9bhAeKpK/WjLGYeKN+m1+FHMEpAfjNAZgBBXl50sjfOuY/O2ughOvcimk2XzL/B6erOiKeltUNFnjkabF1VzkkzMxkdPoL3qV0HDhzU4SOHtHlwSDuvulYdnb5Gx0p66uCRYA3ULAqYDdAjLu7YiRElEjHtP/CUOvq2asvWHWrv6lP/pkF5EV/5XEYnTo2oq7NXxbI0myno6UNH5XsJbdrcr4HBrXrq0DE98eR+veo1N2pmSvrEJz+t0eEx3fbSF+vKy3fq4d0P6ZOf+pyuu2GnxiczenL/QaWTLbr9ZS9VuVhRpVZ2xtLI6JgOPHVQr3jVq7Vly3Z1dndoenJCiVTcTTEyhcfUdrHMW4JZscYrm885D1bSLYiXWto61dLWo9aOAQ0NbdH9Dzygw0ef1bFjY+ro6VUk0qYHH9mnnk3blWqN6LG9T6taTWpkZFbpZEp7HmODN75C/ny3WH/PY09p954Det4NmxWNter+b+xWb3enrt55pfr7unXi1Jg6u3vV0zm/IPxMgQaYEeQEjB8YBQOLeIQ6u+sy+oG5LJiQhklgQJjG4lhzxSu6MCkLhjGYGEFhIKGMGFnBbLigMaxQOnw8lM8vwGj2zUMYExc1+62gNMwbQDkIBwwrU3goGLxWeN343AgHxhcMSFpGPuwZxPQlNHlGE0rh57Lna54vnRYAwxxM8TGlhvBn9M7o2zDNmYMAdlE2GFgcYJPP0LBfHOueMHyIIz/BaKCYUEasK4Rn2HCUBcgoKpQi3q8/+qM/coYQXgh4CL4jDximXPAMr1E+xhPfaaO+v/mbv+nKoSwUKesfqQ914NlQStSVgDyHrznDI+aZdjebfy64FqB/wQAGCPIVmYsXE0MFHCNTwZsZNcRbAB9gCTkKDjHG8F4xUGWKEaPLZLtNMyI7kb28PY53Cuwj28EjMxbIcVvHiFGP/mBQQfnQop5gmXqDawLLQagHA2Nbs4tXjbca4RfuMSBnqQj1NC8smDa+tGfaaOf51q7XzARCIE6CtU/4adhqIZ4KrFl4tb2jy3VMLBZXMVpSPlfUs8dO6OSJYW0eGtTgYJ9bnM5U4uh4Rpv6WnTZ9svV29OvaIQvvrdqcMtW7f/WMd18U0WdnV1q64iq7HZvaHNvDCZb0pqeKqurh4Wcne4tvsu27dA112B41dxan3vuflI33HCNCvmKOjq71dO9yW0Z0d835NYoffxjX9brX/9qXb7jKvfZiF3jM7r99uuc0TQ8nHejzfHJCU1NzmjH9p3aurVTh1ld5bGGjAWiUbduLBoN1v20tLS5hfJMJfM9

创建一个自己的Content Provider需要继承自ContentProvider抽象类,需要重写其中的onCreate()、query()、insert()、update()、delete()、getType()六个抽象方法,这些方法实现对底层数据源的增删改查等操作。还需在AndroidManifest文件注册Content Provider,注册时指定访问权限、exported属性、authority属性值等。


 

Android安全开发之Provider组件安全

其它APP使用ContentResolver对象来查询和操作Content Provider,此对象具有Content Provider中同名的方法名。这样其他APP接就可以访问Content Provider对应的数据源的底层数据,而无须知道数据的结构或实现。 
如何定位到具体的数据? 
采用Content Uri,一个Content Uri如下所示:

    content://com.jaq.providertest.friendsprovider/friends

它的组成一般分为三部分:

  • (1)content://:作为 content Uri的特殊标识(必须);
  • (2)权(authority):用于唯一标识这个Content Provider,外部访问者可以根据这个标识找到它;在AndroidManifest中也配置的有;
  • (3)路径(path): 所需要访问数据的路径,根据业务而定。

这些内容就不具体展开详谈了,详见参考[1][4]。

 

2 风险简介

如果在AndroidManifest文件中将某个Content Provider的exported属性设置为true,则多了一个攻击该APP的攻击点。如果此Content Provider的实现有问题,则可能产生任意数据访问、SQL注入、目录遍历等风险。

 

2.1 私有权限定义错误导致数据被任意访问

私有权限定义经常发生的风险是:定义了私有权限,但是却根本没有定义私有权限的级别,或者定义的权限级别不够,导致恶意应用只要声明这个权限就能够访问到相应的Content Provider提供的数据,造成数据泄露。

以公开的乌云漏洞WooYun-2014-57590为例: 
某网盘客户端使用了自己的私有权限,但是在AndroidManifest中却没有定义私有权限,其它APP只要声明这个权限就能访问此网盘客户端提供的Provider,从而访问到用户数据。

在网盘客户端的AndroidManifest中注册Provider时,声明了访问时需要的读写权限,并且权限为客户端自定义的私有权限:


Android安全开发之Provider组件安全

但是在AndroidManifest中却没有见到私有权限“com.huawei.dbank.v7.provider.DBank.READ_DATABASE”和“com.huawei.dbank.v7.provider.DBank.WRITE_DATABASE”的定义:


Android安全开发之Provider组件安全

主要代码为:


Android安全开发之Provider组件安全

拿到数据库中保存的下载列表数据:


Android安全开发之Provider组件安全

这样任意的恶意应用程序就可以访问到用户网盘的上传、下载记录,网盘里面存的文件列表等隐私信息。

再以公开的乌云漏洞wooyun-2013-039697为例: 
定义了私有权限,但是保护等级设置成为了dangerous或者normal,这样的保护等级对于一些应用的Provide重要性相比保护级低了。 
Provider为:


Android安全开发之Provider组件安全

私有权限“com.renren.mobile.android.permission.PERMISSION_ADD_ACCOUNT”的定义为:


Android安全开发之Provider组件安全

主要代码为:


Android安全开发之Provider组件安全

可看到用户的账户信息,包括uid,手机号,加密后的密码等:


 

Android安全开发之Provider组件安全

其中参数:

  • uri: 为content Uri,要查询的数据库;
  • projection:为要查询的列名;
  • selection和selectionArgs:要指定查询条件;
  • sortOrder:查询结果如何排序。

query() 与 SQL 查询对比如下:


Android安全开发之Provider组件安全

反编译客户端,追踪PlayHistoryProvider的实现,发现是用拼接字符串形式构造原始的SQL查询语句:


Android安全开发之Provider组件安全

使用drozer工具,证明漏洞:


Android安全开发之Provider组件安全

 

读取到其他文件的内容为:

Android安全开发之Provider组件安全

另外看到Openfile()接口的实现中,如果要访问的文件不存在,就会创建此文件,还有可能的风险就是在应用的目录中写入任意文件。

 

3 阿里聚安全开发者建议

在进行APP设计时,要清楚哪些Provider的数据是用户隐私数据或者其他重要数据,考虑是否要提供给外部应用使用,如果不需要提供,则在AndroidManifes文件中将其exported属性显式的设为“false”,这样就会减少了很大一部分的攻击面。

人工排查肯定比较麻烦,建议开发者使用阿里聚安全提供的安全扫描服务,在APP上线前进行自动化的安全扫描,尽早发现并规避这样的风险。

 

注意: 
由于Android组件Content Provider无法在Android 2.2(即API Level 8)系统上设为不导出,因此建议声明最低SDK版本为8以上版本(这已经是好几年前的SDK了,现在一般都会大于此版本); 
由于API level 在17以下的所有应用的“android:exported”属性默认值都为true,因此如果应用的Content Provider不必要导出,建议显式设置注册的Content Provider组件的“android:exported”属性为false; 
如果必须要有数据提供给外部应用使用,则做好设计,做好权限控制,明确什么样的外部应用可以使用,如对于本公司的应用在权限定义时用相同签名即可,合作方的应用检查其签名;不过还是尽量不提供用户隐私敏感信息。

对于必须暴露的Provider,如第二部分遇到的风险解决办法如下:

 

3.1 正确的定义私有权限

在AndroidManifest中定义私有权限的语法为:


Android安全开发之Provider组件安全

其中android:protectionLevel的可选值分别表示:

  • normal:默认值,低风险权限,在安装的时候,系统会自动授予权限给 application。
  • dangerous:高风险权限,如发短信,打电话,读写通讯录。使用此protectionLevel来标识用户可能关注的一些权限。Android将会在安装程序时,警示用户关于这些权限的需求,具体的行为可能依据Android版本或者所安装的移动设备而有所变化。
  • signature: 签名权限,在其他 app 引用声明的权限的时候,需要保证两个 app 的签名一致。这样系统就会自动授予权限给第三方 app,而不提示给用户。
  • signatureOrSystem:除了具有相同签名的APP可以访问外,Android系统中的程序有权限访问。

大部分开放的Provider,是提供给本公司的其他应用使用的,一般的话一个公司打包签名APP的签名证书都应该是一致的,这种情况下,Provider的android:protectionLevel应为设为“signature”。

 

3.2 防止本地SQL注入

注意:一定不要使用拼接来组装SQL语句。 
如果Content Provider的数据源是SQLite数据库,如果使用拼接字符串的形式组成原始SQL语句执行,则会导致SQL注入。 
如下的选择子句:


Android安全开发之Provider组件安全

如果执行此操作,则会允许用户将恶意 SQL 串连到 SQL 语句上。 
例如,用户可以为 mUserInput 输入“nothing; DROP TABLE ** ; ”,这会生成选择子句

    var = nothing; DROP TABLE **;

由于选择子句是作为SQL语句处理,因此这可能会导致提供程序擦除基础 SQLite 数据库中的所有表(除非提供程序设置为可捕获 SQL 注入尝试)。

使用参数化查询:

要避免此问题,可使用一个“ ? ” 作为可替换参数的选择子句以及一个单独的选择参数数组。 
执行此操作时,用户输入直接受查询约束,而不解释为 SQL 语句的一部分。 
由于用户输入未作为 SQL 处理,因此无法注入恶意 SQL。

请使用此选择子句,而不要使用串连来包括用户输入:

    String mSelectionClause = “var = ?”;

按如下所示设置选择参数数组:

    String[] selectionArgs = {“”};

按如下所示将值置于选择参数数组中:

    selectionArgs[0] = mUserInput;

还可调用SQLiteDatabase类中的参数化查询query()方法:


Android安全开发之Provider组件安全

 

3.3 防止目录遍历

1、去除Content Provider中没有必要的openFile()接口。 
2、过滤限制跨域访问,对访问的目标文件的路径进行有效判断: 
使用Uri.decode()先对Content Query Uri进行解码后,再过滤如可通过“../”实现任意可读文件的访问的Uri字符串,如:


Android安全开发之Provider组件安全

 

3.4 通过检测签名来授权合作方应用访问

如果必须给合作方的APP提供Provider的访问权限,而合作方的APP签名证书又于自己公司的不同,可将合作方的APP的签名哈希值预埋在提供Provider的APP中,提供Provider的APP要检查请求访问此Provider的APP的签名,签名匹配通过才让访问。

 

参考

[1]《内容提供程序基础知识 
》 https://developer.android.com/guide/topics/providers/content-provider-basics.html 
[2]《Android app端的sql注入》http://zone.wooyun.org/content/15097 
[3]《Android - Content Providers》 http://www.tutorialspoint.com/android/android_content_providers.htm 
[4] http://www.compiletimeerror.com/2013/12/content-provider-in-android.html 
[5] https://developer.android.com/guide/topics/manifest/permission-element.html?hl=zh-cn 
[6] https://developer.android.com/guide/topics/manifest/permission-element.html 
[7] http://www.wooyun.org/bugs/wooyun-2013-039697 
[8] http://www.wooyun.org/bugs/wooyun-2014-057590 
[9] 《Android Content Provider Security》http://drops.wooyun.org/tips/4314 
[10] http://www.wooyun.org/bugs/wooyun-2016-0175294 
[11]《Android Content Provider Security 
》http://drops.wooyun.org/tips/4314 
[12] http://www.wooyun.org/bugs/wooyun-2013-044407 
[13] http://www.wooyun.org/bugs/wooyun-2013-044411 
[14] 《Content Provider文件目录遍历漏洞浅析》,https://jaq.alibaba.com/blog.htm?id=61 

[15] https://github.com/programa-stic/security-advisories/tree/master/FacebookLite

 

作者:伊樵、呆狐@阿里聚安全,更多安全技术文章,请访问阿里聚安全博客




原标题:Android安全开发之Provider组件安全

关键词:Android

*特别声明:以上内容来自于网络收集,著作权属原作者所有,如有侵权,请联系我们: admin#shaoqun.com (#换成@)。
相关文章
我的浏览记录
最新相关资讯
海外公司注册 | 跨境电商服务平台 | 深圳旅行社 | 东南亚物流