SafeContentResolver

A replacement for Android's ContentResolver that protects against the Surreptitious Sharing attack.

Surreptitious Sharing

Read all about it in the corresponding blog post.

Usage

Replace all occurrences of ContentResolver.openInputStream() where URIs provided by other apps are opened with SafeContentResolver.openInputStream().

SafeContentResolver will refuse to open file:// URIs pointing to files belonging to your app and content:// URIs belonging to content providers of your app.
If you wish to allow access to certain content providers, add the following <meta-data> element to the appropriate <provider> entries in your manifest:

<provider … >
    <meta-data
        android:name="de.cketti.safecontentresolver.ALLOW_INTERNAL_ACCESS"
        android:value="true" />
</provider>

The library comes in two flavors safe-content-resolver-v14 and safe-content-resolver-v21. The former includes native code to be able to invoke the fstat system call that is used to retrieve the owner of a file. Starting with Lollipop (API 21) the framework includes the class Os to access this functionality. So safe-content-resolver-v21 is free of native code and thus much smaller.

To retrieve an instance of SafeContentResolver use:

SafeContentResolver safeContentResolver = SafeContentResolverCompat.newInstance(context);

If your minSdkVersion is 21 or higher you only need to include safe-content-resolver-v21 and use the following code:

SafeContentResolver safeContentResolver = SafeContentResolver.newInstance(context);

Include the library

implementation 'de.cketti.safecontentresolver:safe-content-resolver-v14:1.0.0'

Or, if you're using minSdkVersion 21 or higher:

implementation 'de.cketti.safecontentresolver:safe-content-resolver-v21:1.0.0'

Native code

safe-content-resolver-v14 contains native code for the following ABIs:

armeabi-v7a
arm64-v8a
x86
x86_64

If you don't want to include all of them in your APK you might want to look into ABIs Splits.

License

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Extend to Handle content: Schemes

The same problem can occur if the third-party app sends over a content: Uri for the app's own ContentProvider.

Given that file: schemes are being targeted for destruction in Android N, developers are going to start switching en masse to things like FileProvider. Frequently, those are not exported (FileProvider doesn't even allow exporting), but use grantUriPermissions to make content accessible on a per-request basis. Apps can access their own providers without permission, though, and so we have the same basic issue as SafeContentResolver addresses for file: schemes. The only saving grace is that, for many apps, less stuff will be accessible by a ContentProvider.

For API Level 21+, the same approach that you are using (Os and StructStat) works for FileProvider and for providers that use ParcelFileDescriptor.createPipe(). You can use getContentResolver().openFileDescriptor() (passing in the Uri to openFileDescriptor()) and get a ParcelFileDescriptor on the stream.

If your JNI code for older devices is pretty much just Os.fstat(), that may work as well — I only have modest C/C++ POSIX experience.

If you'd like, I can take a shot at adding this to SafeContentResolver.

cketti / safecontentresolver Goto Github PK