Sebastian Guerrero, a security researcher from viaForensics has disclosed an interesting vulnerability on the eBay Android app prior to 2.4.1 (detailed paper: https://viaforensics.com/mobile-security/ebay-android-content-provider-injection-vulnerability.html), which allows 3rd party apps to retrieve or even modify the sensitive information stored in eBay app, without asking for any permission.
The cause of this vulnerability is simple: the developer put some local data such as search history, purchase list into the app’s Content Provider, which has no restriction on reading or writing.
The Content Provider is a feature for cross-app data sharing. On the Android, there is no storage region that is accessible to all apps by default, thus the Content Provider is the best way to share structured data among apps. Every app can create its own content provider, and access others’.
The content provider is identified by URI (Uniform Resource Identifier), forms like: content://com.ebay.mobile.providers.itemcacheprovider/saved_search, organized like a database. In this case, saved_search is the table name. To query this table, we can direct use content://com.ebay.mobile.providers.itemcacheprovider/saved_search/50 to access the #50 record in table. Or use the ContentResolver.query() method supported by Android to commit the CRUD (create, read, update and delate) operations.
Android also integrated calendar and contact into the content provider, allowing developer access. However, corresponding permissions will be required.
Due to the nature of Content Provider, anyone can access it by default – neither using a third-party app or the ADB (Android Debugging Bridge) console. It is not wise to put any sensitive or permission-needed information in it.
There are overall 6 vulnerable tables in EBay’s content provider:
To fix this vulnerability, just add “readPermission” and “writePermission” into the AndroidManifest file, which is failed to add in the original manifest file:
One lesson can be learned from this case: content provider is not a private storage, set proper permission before you add sensitive information into it!