Hi everyone, back with another post on Android penetration testing. In this post we are going to focus on the insecure data storage of owasp mobile top 10.
According to Owasp top 10 for Mobile applications, insecure data storage is number nine, and it’s easy to exploit. For this kind of android penetration testing, the tester uses genymotion or a physical device with a developer option, and another simple ADB tool or can use drozer also. ADB can directly install it on Linux or can directly use Appie, here I am using Appie, why? the answer is simple – easy to use
What is Insecure Data Storage?
Insecure data storage occurs when developer may be storing any sensitive data in plaintext in different places and formats. Like user details may be stored in a database after logging in to an application, credentials may be stored in a text file, etc.
Note: The best way to test insecure data storage is to install an app on the device and then analyze its files and folder present in /data/data/ location without opening an app. Open the app and check all possible options, and then analyze the files and folder to identify any modifications or newly created.
If you don’t have any idea how to install genymotion on Linux or Windows platforms, please check the video given below.
For the demonstration of insecure data storage, we are going to check examples from the diva application. DIVA refers to Damm Insecure and Vulnerable App for android which has four different examples.
Download the DIVA application from the link – https://github.com/0xArab/diva-apk-file/blob/main/DivaApplication.apk
Connect the device using ADB and move into the shell, and check for the specific location of the targeted app.
adb devices
adb shell
cd data/data
ls | grep diva
In the above example, get into device and cd to the specific location by using ls and grep commands.
Example 1
In this scenario, sensitive data is stored (username, password) in an XML file in plaintext. Any malicious app which having storage permission can easily able to access that sensitive data.
In the above scenario, enter the username and password and click on the Save button.
When you click the submit button, an XML file is generated in the shared_prefs directory, and it’s unclear whether sensitive data is stored. We need to investigate to determine if any sensitive information is stored after specific actions are performed.
Example 2
In this scenario, the same username, and password are stored in the database, pull the database file to our system and use sqlitebrowser – a tool which help to browsing and modifying the data of sqlite databases. Here we are using Appie again which includes ADB and sqlitebrowser.
In the above example, the scenario/UI looks same, but data is stored at a different location.
Very first need to find out which file contains sensitive data for that need to check each and every file.
Here download/pull the file to our local system and then open it into sqlitebrowser.
Example 3
In the scenario, sensitive data is stored in a temp file.
Temp file stored into data location of diva application, don’t forget to analyze which files/folders are newly created after user perform certain operations.
Example 4
In this scenario, data is stored on an external location or sdcard, while doing static analysis tester may get this warning that data may be written on an external location. In such cases make sure that check data on external storage.
make sure that always use ls -la option because some files may be hidden.
to learn more about insecure data storage, check this owsap link – https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage and also check this owasp mobile testing guide link – https://github.com/OWASP/owasp-masvs/blob/master/Document/0x07-V2-Data_Storage_and_Privacy_requirements.md
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
