Exploiting Content Provider – #11 DIVA Solution

A content provider manages access to app data (user installed or default system app) securely. Content providers are primarily intended to be used by other (or self app) applications, which access a consistent, standard interface to data. For e.g. App-1 has a SQLite DB and if some data from App-1 is to be shared with App-2, Using content provider, App-2 can fetch data present inside SQLite DB of App-1. Operations may include Create, Read, Update, Delete (C-R-U-D) as seen in normal SQLite database.


The video demonstrates DIVA app to understand how misconfigured Content Providers can be exploited. Here aim is to view details for all user credentials by Invoking Content Provider of the app either via External App or ADB command-line.


First lets examine Android Manifest.xml file which contains details for content provider declared by developer.

Here Provider named NotesProvider is defined, can be addressed by attribute authorities = “jakhar.aseem.diva.provider.notesprovider”, set enabled & it is exported = ‘true’ which means it also allows access to external apps without any restriction. Since the data contained inside the provider SQLite database is protected via PIN created by app-user being sensitive, ideally external apps should not be allowed to view it.

Now lets find Java class file where this content provider is used internally, i.e. AccessControl3NotesActivity.java. If you notice use of Cursor, it forms query with parameter NotesProvider.CONTENT_URI , this means that there is one more class NotesProvider.java which contains value of CONTENT_URI. On checking NotesProvider.java we can see that entire string of CONTENT_URI is formed in 3 parts : 1) prefix “content://” 2) AUTHORITY & 3) TABLENAME. So entire CONTENT_URI query string forms as content://jakhar.aseem.diva.provider.notesprovider/notes

So now in order to exploit this lets connect Android device for USB debugging & try below commands aiming to read data present inside SQLite DB via ADB.

This we can run on both rooted/non-rooted devices. Same is possible via Android app, which means any installed malware app can view content-provider if its exported=true.



  • In Manifest file never use exported=’true’ unless you know what you are doing properly. Otherwise this would allow external app to invoke your component easily.
  • Making Content providers in such a way that if external application needs to only view then don’t expose update/write calls, so that they cannot modify the database.
  • Making separate endpoints DB so that although external apps would use one DB they cannot access other.

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.