Closed Bug 710572 Opened 13 years ago Closed 11 years ago

Audit content providers for vulnerabilities

Categories

(Firefox for Android Graveyard :: General, defect, P1)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
ARM
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rnewman, Assigned: imelven)

References

Details

E.g.,

  http://labs.mwrinfosecurity.com/notices/webcontentresolver/

This is worthwhile even for content providers that we don't publish in released builds. Injection attacks can find all sorts of avenues.
Assignee: nobody → imelven
Priority: -- → P1
Hardware: All → ARM
tracking-fennec: --- → 11+
Looked through the current Android manifests - the concern here is that the content providers should only be accessible by Fennec (and Sync when it's a separate app). The content providers for both the Browser DB (whether local or Android System) and the PasswordProvider (see below for details on which patch i looked at) both require signature level permissions - this means only apps signed with the same key as Fennec (including Fennec itself of course) can access them, which is what we want.

The other concern is possible injections - the best practice here is to use parameterized queries instead of building up SQL WHERE clauses via concatenating strings.

Looked through the BrowserProvider, didn't find anything of concern.

Also looked through the most recent PasswordsProvider patch (bug 704682 attachment 582406 [details] [diff] [review]) - nothing of concern there at the moment. 

Found a couple of very minor issues in some of the sync code that uses ContentResolvers, emailed rnewman about them, he filed bug 716143

Also looked through all the code in mobile/android that uses content resolvers looking for injections - nothing of note found. 

We should probably plan to do another quick audit before shipping 1.0 - i'll keep watching the password provider bugs also to keep up on what's happening there.
tracking-fennec: 11+ → ---
See Also: → 716143
The tool is now called Mercury and available at https://github.com/mwrlabs/mercury/

I've seen a talk at Blackhat EU about this tool and it offers a great interface to audit content providers and other exposed functionality :) We should definitely consider trying it on Fennec.
I'm going to mark this RESOLVED FIXED per comment 1 - if we want to do another review of Fennec's content providers I suggest opening a new bug for that.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.