45. public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
46. public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
…
public ParcelFileDescriptor openFile(Uri uri, String mode){
47. public class accessfile extends ContentProvider {
public static final String AUTHORITY = "pt.claudio.security";
public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY +
"/");
private static final HashMap<String, String> MIME_TYPES = new
HashMap<String, String>();
private static final UriMatcher sURIMatcher = new
UriMatcher(UriMatcher.NO_MATCH);
static {
sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER);
sURIMatcher.addURI(AUTHORITY, "file/", FILE);
}
…
public ParcelFileDescriptor openFile(Uri uri, String mode){
…
File f = new File(getContext().getString(R.string._sdcard), uri.getPath());
For us to have secure communication with have to rely on HTTPS yada yada
HTTPS is based on certificates and depend on their validation yada yada yada
Some of the validations include those above, explain a little bit
Optionally we also have Certificate Pinning a little later. So let’s imagine two scenarios of a developer creating a mobile app for pixels camp..
So the production envirionment will be pixels.camp and this settings we would make a secure connection to the website..
But actually I am using my local dev setup, and I am using a self signed certificate and therefore I keep getting errors. So my first idea is to Google a little bit to find a way to solve this errors…
This is where things go South… Well I found some nice guys in Stackoverflow that pointed me to a way to get rid off those pesky errors..
Explain
Explain
Explain
Explain
Explain. So the errors when away. Awesome.
So let’s say that I have a second scenario that actually I have a online server with a valid certificate but actually not the right hostname. Well stackoverflow to the rescue..
Explain. Again the errors went away. But what are the implications of this patches?
Well…. Image that Ron is using your application in his coffee, using his public hotspot. Yada Yada Yada Yada
Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
So enter Webviews…
Explain
Explain
Explain
Video with metasploit with payload to exploit JavascriptInterface
Well…. Ron not happy!
So enter Webviews…
So enter Webviews…
So enter Webviews…
So enter Webviews…
So enter Webviews…
So enter Webviews…
So enter Webviews…
Explain
Explain
Explain
Explain
Explain
Explain
Explain
Explain
Explain
Video with exploiting the content provider
So for bónus points, we can even indirectly break application sandbox……..
Explain
Explain
Explain
Explain
Explain
Explain
Explain.
So for those wondering what does parameters mean, let’s imagine a SQL query. Projection represents the fields choosen for the query and Selection the fields users in the Where clause. The sortOrder are the fields that we would define in the Order by. The selectionArgs I will talk about them later.