Extracting data from vulnerable content providers
If some of the content provider's URIs require no read permissions and/or GrantURI
is set to true, you may be able to extract data from it using some of the drozer tools. Also, in certain situations, the way read/write permissions are issued and enforced also exposes the data in a content provider to attacks.
This recipe will covers some simple tricks that you can use to get a feel of the kind of information stored in the provider. This recipe follows from the previous one and assumes you've already enumerated some content URIs and determined that either none or insufficient permissions are required to interact and query the related URIs.
How to do it...
Once you've found a URI, you'd query using the commands detailed in the previous recipe, namely:
run app.provider.info –-permission null run app.provider.finduri [package]
The preceding commands will give you some pretty useful URIs to target; you can then execute the following command to extract...
