AndroGoat Insecure Data Storage

Hello everyone! Welcome to pentestguy. In this post, we are going to see insecure data storage with androgoat. As we know insecure data storage is one of the most common vulnerability find in mobile application so this post might help you to deal with the real time scenarios which is present in androgoat app. Do visit previous post on insecure data storage from this link.

What is AndroGoat?

Androgoat is intentionally vulnerable application which help to understand and perform the demonstration of real world android app pentesting scenarios. It’s build in kotlin.

Installing AndroGoat on Your Device

Download the AndroGoat apk from this link

Install it using the following adb command

adb install AndroGoat.apk

Note: I’m using Parrot Sec OS as my host operating system and Android Studio for the virtual device.

To effectively test insecure data storage, install the app on your device and analyze the files and folders located in the /data/data/ directory without launching the app. Then, open the app, explore all possible options, and reanalyze the files and folders to identify modifications or newly created items.

Use ADB shell to navigate to the targeted application location where all the data related to the app is stored. To find the location of the targeted app, use the following command:

adb shell
cd /data/data
ls | grep owasp

Example 1: Plain Text XML File

In this scenario, a plain text XML file named users.xml in the shared_prefs directory stores sensitive data, including usernames and passwords

androgoat-insecure-data-storage-part-1

Follow the command given below to check the sensitive data.

cd shared_prefs
cat users.xml
adb-shell-to-check-file

Example 2: Modifying Score Without Button Press

When the user hits the score button, an XML file named score.xml is created in the shared_prefs directory. Achieve a score of 10000 without pressing the button by pulling, editing, and pushing the XML file.

androgoat-insecure-data-storage-part-2

Follow the command given below to copy the xml file on local system, and edit it using any text editor.

adb shell "run -as owasp.sat.agoat cat /data/data/owasp.sat.agoat/shared_prefs/score.xml" > score.xml
pull-shared--pref-file

Push the updated xml file on android device

adb push score.xml /data/local/tmp
adb-push-update-score-file

Replace the original file with the updated one using command given below, Restart the application, press the score button, and observe the modified score.

cp /data/data/local/tmp/score.xml /data/data/owasp.sat.agoat/shared_prefs/
shared-prefs-score-challenege

Example 3: SQLite Database

In this scenario, data is stored in an SQLite database. Check for the newly created directory or file (e.g., aGoat database file) in the databases directory.

androgoat-insecure-data-storage-part-3

Copy the file to local system and view the sensitive data using sqlite browser, if you don’t have the sqlitebrowser do install it using apt – (apt install sqlitebrowser).

sqlite-browser-database

Example 4: Sensitive Data in Temporary Files

After user interaction, app functionality stores sensitive data in temp file.

androgoat-insecure-data-storage-part-4

Analyse newly created files or folders in the targeted app’s directory.

temp-file-data

Example 5: External Storage (SD Card)

App functionality store data on the SD card.

androgoat-insecure-data-storage-part-5

Ensure AndroGoat has the required storage permission.

androgoat-storage-permission

Monitor the SD card location for the generation of new files.

adb-command-to-check-sd-card-data

For further learning on insecure data storage, refer to the OWASP Mobile Top 10 and the OWASP Mobile Testing Guide.

If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!

Recent Posts

Social Media