1 00:00:00,510 --> 00:00:04,810 - Hello, and welcome to the Android Security and Exploitation course 2 00:00:04,810 --> 00:00:09,670 by Pentester Academy. I am Aditya, and I am your course instructor for this entire 3 00:00:09,670 --> 00:00:14,920 training series. So in the previous video, we had a look at some of the access 4 00:00:14,920 --> 00:00:21,590 control issues. In this video we are going to have a look at another type of access 5 00:00:21,590 --> 00:00:27,620 control issue which is related to content provider. Now, in the Android Security 6 00:00:27,620 --> 00:00:31,490 for Pentesters course, we have already tested a lot of different 7 00:00:31,490 --> 00:00:37,891 content provider-based vulnerabilities and exploitation using Drozer. And this 8 00:00:37,891 --> 00:00:43,150 particular vulnerability is the exact same thing of what we did in the Catch Notes 9 00:00:43,150 --> 00:00:48,800 application in the Android Security for Pentesters course. So I highly recommend 10 00:00:48,800 --> 00:00:57,290 you to go watch those videos and come back and try out this exercise. So let me open 11 00:00:57,290 --> 00:01:07,170 the "DIVA" application and go to the "Access Control Issues - Part 3". So the 12 00:01:07,170 --> 00:01:13,240 objective of this particular exercise is to set up a PIN and then create several 13 00:01:13,240 --> 00:01:18,890 private notes and try to access the private note from outside the application 14 00:01:18,890 --> 00:01:24,240 without knowing the PIN, right? So let's set up a PIN over here, and for this 15 00:01:24,240 --> 00:01:30,900 example, let's set it up as 1234. So "PIN created successfully. Private notes 16 00:01:30,900 --> 00:01:37,810 are now protected by you PIN." And now I'll go to Private Notes, type in 17 00:01:37,810 --> 00:01:44,070 1234, and these are the different notes which are there in the private storage. So 18 00:01:44,070 --> 00:01:49,650 the first thing which we have to do is launch our Drozer in order to find out the 19 00:01:49,650 --> 00:01:55,890 different content providers. Also we have discuss a lot of 20 00:01:55,890 --> 00:01:59,310 Drozer-related content in the past, so feel free to check out those videos as 21 00:01:59,310 --> 00:02:09,532 well. So I'll start up Drozer here. And we're going to 22 00:02:09,532 --> 00:02:16,010 "app.provider.finduri" and put in the package name, which is 23 00:02:16,010 --> 00:02:25,560 "jakhar.aseem.diva". So this particular command actually finds all the different 24 00:02:25,560 --> 00:02:31,180 content providers stored in the application. And if you notice, this is 25 00:02:31,180 --> 00:02:36,390 the content provider, which is related to notes. So it's 26 00:02:36,390 --> 00:02:42,973 "jakhar.aseem.diva.provider.notesprovider/ notes/". And all we need to do in order 27 00:02:42,973 --> 00:02:53,050 to access it is "app.provider.query --uri" and the content URI. And just for better 28 00:02:53,050 --> 00:03:07,699 formatting, we'll add a "--verticle" as well. There's no "--uri" on this one. And 29 00:03:07,699 --> 00:03:13,010 if you notice over here, we get the entire data, which is stored in the private notes 30 00:03:13,010 --> 00:03:19,910 section. And we got all of this without even asking for a PIN, or without even 31 00:03:19,910 --> 00:03:29,071 entering a PIN. Now you can try out the same thing using "adb shell content 32 00:03:29,071 --> 00:03:36,813 query--uri" and parsing in the content URI. So instead of Drozer if you want to 33 00:03:36,813 --> 00:03:47,072 to do it with "adb shell" you can do it as well. Shell, content query, and the 34 00:03:47,072 --> 00:03:53,514 content URI. And you see all the data over here. So even though it is protected in 35 00:03:53,514 --> 00:03:59,420 the application, the content provider in itself is vulnerable. And we can confirm 36 00:03:59,420 --> 00:04:02,690 it by just looking at the Android manifest. 37 00:04:02,690 --> 00:04:15,610 So if we look at the Android manifest, so for provider. So if you notice over here, 38 00:04:15,610 --> 00:04:22,920 it is "exported='true'" and that is the reason why this is vulnerable. So in order 39 00:04:22,920 --> 00:04:27,880 to ensure that your content providers are secure, you can either set it to false, 40 00:04:27,880 --> 00:04:34,690 or you can add the required permission for this particular content provider. So 41 00:04:34,690 --> 00:04:40,280 that's all for this short video, and if you have any feedback or queries, I'll be 42 00:04:40,280 --> 00:04:47,525 more than happy to hear it. You can reach out to me @adi1391 or you can over email 43 00:04:47,525 --> 00:04:53,639 at adi@attify.com. You can check out the certification at securitytube-traning.com 44 00:04:53,639 --> 00:04:58,027 or the subscription model with PentesterAcademy.com. See you in the next 45 00:04:58,027 --> 00:04:59,000 video.