Validate Your File Inputs, Please

Some apps, and some devices, rely on the “magic file” or “magic directory” approach for finding files for input. They basically monitor some particular path on external storage (or, for devices, perhaps removable storage). When the magic file shows up, or a file is added to the magic directory, the app or device assumes that the file is something the user wants to be applied, and so the app or device reads in the file and does something with it automatically.

This is risky.

In particular, if an attacker can convince something else to write a file to the magic location, the attacker can arrange for any file to be consumed by the app or device. This can be almost trivial for an attacker to arrange if a poor choice of magic location is used (e.g., the Downloads directory on external storage, where browsers often write files).

Monitoring a magic location itself is not great, particularly if you use CPU- or RAM-wasting means to do so (e.g., long-running service and FileObserver ). But, at minimum, do not automatically do something with the file. Instead, display a Notification or otherwise get confirmation from the user, on the device, before proceeding.

Also, if the file to be consumed is a ZIP archive, please unpack it safely. This is particularly true for those of you using the multidex backport or other forms of dynamic classpath manipulation, as an attacker can inject malicious code into your app via a carefully-crafted ZIP file that you carelessly unpack.

Interested in learning Kotlin? Check out the Klassbook for Kotlin language lessons that you can run right in your browser!

— Oct 28, 2015