Hello everyone! Welcome to pentestguy. In this post, we are going to see insecure data storage with androgoat. As we know insecure data storage is one of the most common vulnerability find in mobile application so this post might help you to deal with the real time scenarios which is present in androgoat app. Do visit previous post on insecure data storage from this link.
What is AndroGoat?
Androgoat is intentionally vulnerable application which help to understand and perform the demonstration of real world android app pentesting scenarios. It’s build in kotlin.
Installing AndroGoat on Your Device
Download the AndroGoat apk from this link
Install it using the following adb command
adb install AndroGoat.apk
Note: I’m using Parrot Sec OS as my host operating system and Android Studio for the virtual device.
To effectively test insecure data storage, install the app on your device and analyze the files and folders located in the /data/data/ directory without launching the app. Then, open the app, explore all possible options, and reanalyze the files and folders to identify modifications or newly created items.
Use ADB shell to navigate to the targeted application location where all the data related to the app is stored. To find the location of the targeted app, use the following command:
adb shell
cd /data/data
ls | grep owasp
Example 1: Plain Text XML File
In this scenario, a plain text XML file named users.xml in the shared_prefs directory stores sensitive data, including usernames and passwords
Follow the command given below to check the sensitive data.
cd shared_prefs
cat users.xml
Example 2: Modifying Score Without Button Press
When the user hits the score button, an XML file named score.xml is created in the shared_prefs directory. Achieve a score of 10000 without pressing the button by pulling, editing, and pushing the XML file.
Follow the command given below to copy the xml file on local system, and edit it using any text editor.
adb shell "run -as owasp.sat.agoat cat /data/data/owasp.sat.agoat/shared_prefs/score.xml" > score.xml
Push the updated xml file on android device
adb push score.xml /data/local/tmp
Replace the original file with the updated one using command given below, Restart the application, press the score button, and observe the modified score.
cp /data/data/local/tmp/score.xml /data/data/owasp.sat.agoat/shared_prefs/
Example 3: SQLite Database
In this scenario, data is stored in an SQLite database. Check for the newly created directory or file (e.g., aGoat database file) in the databases directory.
Copy the file to local system and view the sensitive data using sqlite browser, if you don’t have the sqlitebrowser do install it using apt – (apt install sqlitebrowser).
Example 4: Sensitive Data in Temporary Files
After user interaction, app functionality stores sensitive data in temp file.
Analyse newly created files or folders in the targeted app’s directory.
Example 5: External Storage (SD Card)
App functionality store data on the SD card.
Ensure AndroGoat has the required storage permission.
Monitor the SD card location for the generation of new files.
For further learning on insecure data storage, refer to the OWASP Mobile Top 10 and the OWASP Mobile Testing Guide.
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!