Your app(s) are using a content provider with an unsafe implementation of openFile

Question

I've received this email after publishing my app on playstore:

Hello Google Play Developer,

We reviewed [MyAppName], with package name com.example.myappname, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.

Your app(s) are using a content provider with an unsafe implementation of openFile.

To address this issue, follow the steps in this Google Help Center article.

Vulnerability APK Version(s) Deadline to fix Path Traversal Your app(s) are using a content provider with an unsafe implementation of openFile.

To address this issue, follow the steps in this Google Help Center article.

1 June 25, 2019 Vulnerability APK Version(s) Deadline to fix To confirm you’ve upgraded correctly, submit the updated version of your app to the Play Console and check back after five hours. We’ll show a warning message if the app hasn’t been updated correctly.

---

I've used Realm database, iText pdf library, file provider in my app. I'm using FileProvider to open pdf file from storage using intent.

res>xml>provider_paths.xml

<?xml version="1.0" encoding="utf-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
    <external-path
        name="external_files"
        path="." />
</paths>

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="com.example.appName">

    <uses-permission android:name="android.permission.CAMERA" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_icon"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_icon"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">

        ...

        <provider
            android:name="androidx.core.content.FileProvider"
            android:authorities="${applicationId}.provider"
            android:exported="false"
            android:grantUriPermissions="true">
            <meta-data
                android:name="android.support.FILE_PROVIDER_PATHS"
                android:resource="@xml/provider_paths" />
        </provider>
    </application>

</manifest>

TemplatesFragment.java

File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/MyCvs/Templates/" + templateName);
        Uri uriPdf = FileProvider.getUriForFile(getActivity(), BuildConfig.APPLICATION_ID + ".provider", file);
        Intent target = new Intent(Intent.ACTION_VIEW);
        target.setDataAndType(uriPdf, "application/pdf");
        target.setFlags(Intent.FLAG_ACTIVITY_NO_HISTORY);
        target.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
        Intent intent = Intent.createChooser(target, "Open File");
        try {
            startActivity(intent);
        } catch (Exception e) {
            // Instruct the user to install a PDF reader here, or something
            Toast.makeText(getActivity(), "" + e.getMessage(), Toast.LENGTH_SHORT).show();
        }

Answer 1

Don't put "." in the path, instead, give the name of the folder that you wanna use.

For example, If you want to access/use Download folder then in provider_paths.xml:

<?xml version="1.0" encoding="utf-8"?>
<paths>
    <external-path
        name="downloads"
        path="Download/" />
</paths>

Answer 2

They actually provide one with all one needs to know; see support.google.com:

Implementations of openFile in exported ContentProviders can be vulnerable if they do not properly validate incoming Uri parameters. A malicious app can supply a crafted Uri (for example, one that contains “/../”) to trick your app into returning a ParcelFileDescriptor for a file outside of the intended directory, thereby allowing the malicious app to access any file accessible to your app.

The FileProvider must reject any Uri containing .. ...which are deemed "exploitable".