M 503: SomNote Vulnerable Content Provider (15 pts)

What You Need for This Project

Purpose

To find and exploit a vulnerable content provider

Somnote

Install the app, as shown below. The newest version works fine, as of Oct 31, 2022.

If you can't get the app from Google Play, download my archived copy.

Click "LOGIN WITH EMAIL", and enter any email and password, and click the Login button.

Responsible Disclosure

I notified SomCloud of problems years ago:

Putting a Secret into Somnote

On your Android device, launch Somnote.

If it asks for permissions, grant them.

In the login screen, as shown below, at the top right, click X.

A "VIP Privileges" box appears. At the top right, click X to close it.

Click "Get started with SomNote", as shown below.

On the next screen, at the top right, click the + sign.

Type in a secret message, as shown below.

At the top right, click Save.

At the lower right of your Android device, click the square button.

Close SomNote.

Retrieving Package Information

On your Debian or MacOS system, execute these commands, one at a time, to gather the APK file from your Android device.

You will need to use the answer from the first command as the argument for the second, and the answer from the second command as the argument for the third.

You may need to enter a path before the adb command, which you can get from Android Studio's SDK manager. 

mkdir somnote
cd somnote
adb shell pm list packages | grep som
adb shell pm path com.somcloud.somnote
adb pull /data/app/~~HNM32dLVbMaP9JeCvYcVGg==/com.somcloud.somnote-8OLyAVyOD5U6QktuNq6EdQ==/base.apk

Viewing the Android Manifest

Launch Android Studio. Click File, Open. Open the somnote base.apk file.

In the center pane, scroll down to the AndroidManifest.xml file, as shown below.

Find the provider named "com.somcloud.somnote.database.SomNoteProvider", as shown below.

Notice that no permissions are required to access this provider.

The Android documentation shown below shows that permissions should be defined within the "provider" container:

Finding URIs with jadx-gui

Launch jadx-gui and load the Somnote base.apk file.

Click Navigation, "Text search".

Search for: 

content://com.somcloud
As shown below, varius URIs are found, including 
content://com.somcloud.provider.SomNote/notes/

M 503.1: Reading from the Content Provider (15 pts)

On your MacOS or Linux system, execute this command: 
adb shell content query --uri content://com.somcloud.provider.SomNote/notes/
The reply includes a list of fields, including the "title" and "content" fielda, highlighted in the image below.

Find the text covered by a green box in the image above. That's the flag.

On your MacOS or Linux system, execute this command: 
adb shell content query --uri content://com.somcloud.provider.SomNote/notes/ --projection title:content
The secret information is revealed, as shown below.

Updated to remove Drozer 10-31-22
Extraneous apktool command removed 11-1-22
More references to drozer removed 11-22-22