26. SQLite & content providers
SQLite3
/data/data/app.name/databases/
load_extension() disabled :(
SQLinj… will talk later
Private database
27. SQLite & content providers
Content provider:
API to public/semi-public your database
Exported and public by default
File access API
Examples:
content://sms
28. SQLite & content providers
How to secure:
android:exported=“false”
android:protectionLevel=“signature”
android:grantUriPermission=“true”
37. Intents
Exported intents can be called from third-party apps
Activity
startActivity()
startActivityForResult()
Service
startService()
Broadcast
sendBroadcast()
38. Intents
Third-party apps can send “extra”“data://” to intents
extra
string integer long float boolean uri
component
name
data
wrapper://host/path?query
39. Intents
Set “exported” to false for all intents
Set permissions for broadcast receiving/delivering
Validate extra data sent to intents