10

I've received this email after publishing my app on playstore:

Hello Google Play Developer,

We reviewed [MyAppName], with package name com.example.myappname, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.

Your app(s) are using a content provider with an unsafe implementation of openFile.

To address this issue, follow the steps in this Google Help Center article.

Vulnerability APK Version(s) Deadline to fix Path Traversal Your app(s) are using a content provider with an unsafe implementation of openFile.

To address this issue, follow the steps in this Google Help Center article.

1 June 25, 2019 Vulnerability APK Version(s) Deadline to fix To confirm you’ve upgraded correctly, submit the updated version of your app to the Play Console and check back after five hours. We’ll show a warning message if the app hasn’t been updated correctly.

I've used Realm database, iText pdf library, file provider in my app. I'm using FileProvider to open pdf file from storage using intent.

res>xml>provider_paths.xml

<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
    <external-path
        name="external_files"
        path="." />
</paths>

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="com.example.appName">

    <uses-permission android:name="android.permission.CAMERA" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_icon"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_icon"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">

        ...

        <provider
            android:name="androidx.core.content.FileProvider"
            android:authorities="${applicationId}.provider"
            android:exported="false"
            android:grantUriPermissions="true">
            <meta-data
                android:name="android.support.FILE_PROVIDER_PATHS"
                android:resource="@xml/provider_paths" />
        </provider>
    </application>

</manifest>

TemplatesFragment.java

File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/MyCvs/Templates/" + templateName);
        Uri uriPdf = FileProvider.getUriForFile(getActivity(), BuildConfig.APPLICATION_ID + ".provider", file);
        Intent target = new Intent(Intent.ACTION_VIEW);
        target.setDataAndType(uriPdf, "application/pdf");
        target.setFlags(Intent.FLAG_ACTIVITY_NO_HISTORY);
        target.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
        Intent intent = Intent.createChooser(target, "Open File");
        try {
            startActivity(intent);
        } catch (Exception e) {
            // Instruct the user to install a PDF reader here, or something
            Toast.makeText(getActivity(), "" + e.getMessage(), Toast.LENGTH_SHORT).show();
        }

2 Answers2

7

Don't put "." in the path, instead, give the name of the folder that you wanna use.

For example, If you want to access/use Download folder then in provider_paths.xml:

<?xml version="1.0" encoding="utf-8"?>
<paths>
    <external-path
        name="downloads"
        path="Download/" />
</paths>
AtifSayings
  • 756
  • 14
  • 23
5

They actually provide one with all one needs to know; see support.google.com:

Implementations of openFile in exported ContentProviders can be vulnerable if they do not properly validate incoming Uri parameters. A malicious app can supply a crafted Uri (for example, one that contains “/../”) to trick your app into returning a ParcelFileDescriptor for a file outside of the intended directory, thereby allowing the malicious app to access any file accessible to your app.

The FileProvider must reject any Uri containing .. ...which are deemed "exploitable".

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • 1
    Zeilter . How to do that? I used the code given by google but then functionality stops working My Question and code is :https://stackoverflow.com/questions/57112903/your-apps-are-using-a-content-provider-with-an-unsafe-implementation-of-openfi – Alpesh Jul 19 '19 at 13:02
  • @Alpesh seen your question previously... while there is no `@xml/file_provider_paths` posted, therefore one can only assume that the path also is a relative path, which not really defines a concrete location. the scope of the `FileProvider` needs to be narrowed down as far as possible. – Martin Zeitler Jul 19 '19 at 13:08
  • The code for that is : – Alpesh Jul 19 '19 at 13:09
  • @ Martin Zeitler , I have uploaded the path code. Please check and respond. Its really important and urgent for me. Thank you so much to be with me – Alpesh Jul 19 '19 at 13:11
  • @Alpesh you also have that `path="."` there, which means "the current directory"... based upon how they describe the vulnerability... the `FileProvider` must reject any `Uri` containing `..`, which means "the directory above". – Martin Zeitler Jul 19 '19 at 13:16
  • What should I write as in code part. Not able to understand – Alpesh Jul 19 '19 at 13:18
  • Can you guide me how to do this. A code might help me with the same. Thanks – Alpesh Jul 19 '19 at 13:29
  • can you include sample code, to access/share/use files in specific folder? For example my app creates and uses files in a folder having address root/MyCvs/Templates/ –  Jul 20 '19 at 13:13
  • 1
    how about `! uri.toString().contains("..")` ? I'd assume that the pre-release tests simply access the provider with a potentially malicious `Uri` and see if it responds. – Martin Zeitler Jul 20 '19 at 17:41