While experimenting with URIs that various Android file managers return from an intent with ACTION_GET_CONTENT, I found out something strange, that seems to me a major security problem, unless there is something that I misunderstand:
Both OI File Manager and ES File Explorer return URIs in the format "content://authority/path" where authority is "org.openintents.filemanager" or "com.estrongs.files" respectively, and path the file system path to the file.
Now when I create content URIs with these two authorities and use them in an app that does not have READ_EXTERNAL_STORAGE permission and never has presented any file picking dialog with ACTION_GET_CONTENT to the user, I can use these URIs to read the file contents without any security exception being raised. Thus by querying if one of these apps is present, an attacker could read any file on external storage whose name he is able to guess or construct without the user having granted this permission.
In light of these findings, do these apps fail to handle access to their content providers correctly and should be considered a major security threat for Android users, or is there some flaw in the Android permission architecture itself?
I found out in the mean time that in the case of OI File Manager this has been reported and fixed:
http://blog.k3170makan.com/2014/02/path-disclosure-vulnerability-in-io.html
https://github.com/openintents/filemanager/commit/78ffa735924292e541f3b7f20ead605f053f0df4
Unfortunately the version published on F-Droid is still vulnerable.
Related
I am looking for something along the lines of getExternalStorageDirectory that is available in both iOS and android. The purpose of this directory is to save and retrieve .json configuration files that would be later read back by the application. However the normal getApplicationDocumentsDirectory isn't really what I need. The user is likely to want direct access to the saved files to send them to friends, forums, etc.
Workflows might include:
User A emails a config to User B
User uploads a configuration to a forum
User downloads a configuration from a forum
User creates a configuration offline using a json editor
It seems like I must be missing something obvious here as this seems like a common requirement but I have not found a suitable way to do this.
Thanks
Assuming we're speaking of the path_provider plugin, it actually contains a function called getExternalStorageDirectory, though, as the documentation states, iOS prohibits the user from arbitrarily accessing any directory on the device. I would suggest checking for the platform. If on Android, use getExternalStorageDirectory for Android, and if on iOS, use getApplicationDocumentsDirectory and make it visible to the user. More on that here: How to save a text file in external storage in ios using flutter?
Can't think of any other way of achieving this, since iOS is very strict when it comes to file management (or anything else, really).
The Chrome Apps API has the very useful FileSystem API which allows a user to select a file for an app to edit (read and write changes to). However, with the entire Apps API soon to be removed, what other ways exists to edit a file on the local file system?
This is not an opinion-based question, I am asking for all conceivable alternatives.
Per https://developers.chrome.com/apps/migration:
Q: My app uses the chrome.fileSystem API to read and write user-specified files and / or directories. Can this be done on the open web?
A: In general, no. The open web can read single files that the user opens, but cannot retain access to those files, write to those files, or have any access to directories.
If it is critical for your app to read and write directories (e.g. it is a text editor with a folder view), you will need to either have a native helper app and extension combo, or create a native app.
I would like to add a link to a local file in confluence. Obviously this link would only work if the file is locally on the users computer. I understand that.
If I add the address like this :
file:///D:/dev/ngs-frontend/src/pages/myPage.html
The browser sends me to :
about:blank
If I try to add it with quotes like so :
"file:///D:/dev/ngs-frontend/src/pages/myPage.html"
..confluence crashes!
How is it possible in confluence?
As you mentioned when adding the web link in Confluence specifying the file using the file protocol (file:///) you might face the issue that it doesn't work.
Obviously this link would only work if the file is locally on the users computer.
This is not entirely true. If you open the developer tools you most likely will be getting the error "Not allowed to load local resource"
As measure of security the browser won't let you access files from a different origin, specially from the users computer (this would be a serious security risk). Only imagine if you could access the files in the Windows directory from the browser, you could break apart the operating system in no time (or steal user data).
This is explained in here
If you put the file in the same server Confluence is running, then this should work just fine. However I believe you can save time just adding the page as an attachment and loading it (Confluence is pretty decent at version controlling in case you want to modify the html file).
Hope this helps!
I accomplished writing an application code in Matlab. I create a .mat file and save data into it somewhere in the code. I converted it to a standalone application file.(exe) However, I don't want to give permission to the user to see and modify this .mat file because the application uses that file in the next executions. For this reason, I changed the permission settings by right clicking the folder and:
properties-Security-Advanced-Changed Permission
However, after changing the permission, the code cannot reach that file and fails while executing. How can I handle it?
To my opinion you are approaching this the wong way. To make that concept working, your application would require higher permissions than the user has, especially the user may not modify permissions. For the majority of self-administrated PCs this is impossible, because the primary user has full administrative rights, allowing to modify folder permissions.
For such cases the typical solution is encryption. Assume everyone can access your files, store only encrypted files to the hard drive.
I need to code in authentication information for specific parts of my website into my app. Is it at all possible for the app to be "decompiled" and the username and password exposed?
NSURL *url = [NSURL URLWithString:#"https://predefinedUsername:predefinedPassword#www.website.com"];
Yes, it is possible. Assume that if you have anything compiled into your app, it can [and will] be discovered by someone somewhere. Even if it isn't possible today, you are creating a frozen record of such information that will be vulnerable to any future attacks, known or unknown.
You really need the user to perform some task that authenticates them. There are a million and one ways to do that, and for every one of those, a million and two ways to do it wrong. :)
Without knowing more about your specific requirements, it is impossible to really say much more outside of "keep it simple and don't store or send anything in clear-text".
As #Hyperbole said, If you store the username and password in plain text it will be visible in the executable. It is extremely trivial to examine the executable for strings, and it's usually the first thing someone with malicious intent will try.
Right click on any app you've downloaded in iTunes and select show in finder. Make a copy of the app on your desktop and rename the app from AppName.ipa to AppName.zip. Double-click to unzip it, and look inside the folder. Navigate to the folder Payload and then right click on the (probably only) file in there called AppName that looks like an application but has a big circle with a cross through it for the icon. Select show package contents. Scroll through until you find a file called AppName with no extension and a blackish rectangle with the green word "exec" as an icon. Open that file in text edit or another text editor. You'll find that most of this ends up being random symbols and other crap, but you should occasionally see some plain text. The compiler takes string constants and embeds them directly in the app when you compile it in most cases.
You asked about what magazine apps and others do to access content - There are a ton of different ways to do it but off the top of my head, after the server verifies your in-app purchase receipt, the server would record an identifier specific to your iTunes account, saying that you've purchased a specific issue of the magazine. Then your app can request that file from the server, adding the identifier to the request in the process. The server would respond with the file once it looks through the database and determines that you've purchased the content.
Other solutions include signing/hashing a unique key.
Your example would expose the username and password without the need to decompile as you send it via plain text in a URL request. Anyone with a sniffer or MITM service yould snatch it out of the air. A better approach would be to make use of SSL via the http*s* protocol. You could go a step further and either prompt at runtime for the credentials and/or store an encrypted version within the app.
This is very bad because it is trivially easy to recover these credentials just by running 'strings' against the app binary without needing to decompile it.
Can't you pop up a dialogue box asking the user to enter the credentials when they first start the app ? Alternatively you could store them encrypted in a file and then ask the user for an alternative credential e.g. Passcode that derives the key but even this will not survive a determined attack unless the Passcode is long.