10505 Judicial Drive, Suite 201 | Fairfax, VA 22030 | V: 703.352.2982 | F: 203.286.2533 | sales@kryptowire.com
6.1.2 Leagoo Z5C – Obtaining the Most Recent Text Message from each Conversation
Due to an exported broadcast receiver, a zero-permission third-party app can query the most recent text
message from each conversation. That is, for each phone number where the user has either texted or received
a text from, a zero-permission third party app can obtain the body of the text message, phone number, name
of the contact (if it exists), and a timestamp. The com.android.messaging app (versionCode=1000110,
versionName=1.0.001, (android.20170630.092853-0)) contains an exported content provider with a
name of com.android.messaging.datamodel.MessagingContentProvider. Below is the content
provider being declared in the com.android.messaging app’s AndroidManifest.xml file.
<provider
android:authorities="com.android.messaging.datamodel.MessagingContentProvider"
android:exported="true" android:label="@string/app_name"
android:name=".datamodel.MessagingContentProvider"/>
As the querying of the content provider can be performed silently in the background, it can be continuously
monitored to check to see if the current message in each conversation has changed and record any new
messages. To query the most recent text message for each conversation, the app simply needs to query a
content provider in the standard way where the authority string is
com.android.messaging.datamodel.MessagingContentProvider/conversations. Below is the
output of querying this content provider. The text messages that are sent by the device owner are the ones
where the snippet_sender_display_destination field is empty.
Row: 0 _id=2, name=(703) 555-0001, current_self_id=1, archive_status=0, read=1,
icon=messaging://avatar/d?i=%2B17035550001, participant_contact_id=-2,
participant_lookup_key=NULL, participant_normalized_destination=+17035550001,
sort_timestamp=1526866037215, show_draft=0, draft_snippet_text=, draft_preview_uri=,
draft_subject_text=, draft_preview_content_type=, preview_uri=NULL, preview_content_type=NULL,
participant_count=1, notification_enabled=1, notification_sound_uri=NULL,
notification_vibration=1, include_email_addr=0, message_status=100, raw_status=0,
message_id=12, snippet_sender_first_name=NULL, snippet_sender_display_destination=(703) 555-
0001, snippet_text=Here is a text message, subject_text=NULL
Row: 1 _id=3, name=(703) 555-0002, current_self_id=1, archive_status=0, read=1,
icon=messaging://avatar/d?i=%2B17035550002, participant_contact_id=-2,
participant_lookup_key=NULL, participant_normalized_destination=+17035550002,
sort_timestamp=1526863999559, show_draft=0, draft_snippet_text=, draft_preview_uri=,
draft_subject_text=, draft_preview_content_type=, preview_uri=NULL, preview_content_type=NULL,
participant_count=1, notification_enabled=1, notification_sound_uri=NULL,
notification_vibration=1, include_email_addr=0, message_status=1, raw_status=0, message_id=8,
snippet_sender_first_name=Mike, snippet_sender_display_destination=, snippet_text=Test. Holla
back, subject_text=NULL
Row: 2 _id=1, name=Random Guy, current_self_id=1, archive_status=0, read=1,
icon=messaging://avatar/l?n=Random%20Guy&i=1516r11-4B29432F4541355159,
participant_contact_id=11, participant_lookup_key=1516r11-4B29432F4541355159,
participant_normalized_destination=+17035550003, sort_timestamp=1526863649747, show_draft=0,
draft_snippet_text=, draft_preview_uri=, draft_subject_text=, draft_preview_content_type=,
preview_uri=NULL, preview_content_type=NULL, participant_count=1, notification_enabled=1,
notification_sound_uri=NULL, notification_vibration=1, include_email_addr=0, message_status=1,
raw_status=0, message_id=5, snippet_sender_first_name=Mike,
snippet_sender_display_destination=, snippet_text=Here is a longer message. One more,
subject_text=NULL