Unintended Data Leakage - Leaking content providers

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.

Below is the list of scenarios where unintended data leakage flaws may exist.

• Leaking content providers
• Copy/paste buffer caching
• Logging
• URL caching.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Insecure Bank V2 application.

Steps for Unintended Data Leakage Leaking content providers

1.Get the package name from androidmanifest.xml file of the app.

2.Open drozer on the android mobile.

3.Start the server.

4.Open the terminal and enter adb forward tcp:31415 tcp:31415

5.Now enter drozer console connect

6.On the drozer terminal enter run app.package.attacksurface package_name.

7. You will get if there are any exported content provider.

8.Enter run app.provider.finduri package_name to get the exported content provider name.

9. To get all the data enter run app.provider.query content_provider_name.