Hi everyone, welcome to pentestguy, back with another post on Android application penetration testing. In this post we are going to focus on insecure logging. For this kind of testing, the tester uses genymotion or a physical device with a developer option, and another simple ADB tool or can use drozer also. ADB can directly install it on Linux or can directly use Appie, here I am using Appie, why? the answer is simple – easy to use.
Insecure data storage has different parts. The very first part is storing sensitive data in XML or txt files or in the database, and the other issue we can found storing the sensitive data in the logs.
If you like to know about the first part you can check this article on android vapt – https://pentestguy.com/android-app-pentesting-static-analysis/
here in this article, we are going to focus on testing logs for sensitive data.
If you don’t know how to install genymotion on Linux or Windows platforms, please check the video below.
For the demonstration of testing logs for sensitive data, we are going to check examples from the diva application and insecure bank v2.
Download the DIVA application from the link – https://github.com/0xArab/diva-apk-file/blob/main/DivaApplication.apk
Download the InsecureBank v2 from the link – https://github.com/dineshshetty/Android-InsecureBankv2
Example 1
We will tackle the first challenge in DIVA, which revolves around Insecure Logging—a demonstration we are ready to perform. Put simply, we will store logs in memory, presenting it as an example of insecure data storage in logs.
In the above image, there is a simple scenario of a credit card check out which is going to store in logs, In real time there will be multiple scenarios like credentials stored in logs on success or failure, maybe on password change or providing something sensitive data to the application.
Here we are going to use logcat via adb and we are going to grep for our targeted application.
adb logcat | grep diva
Let’s take the other two examples from Insecure Bank v2.
Example 2
When the user to going to log in at that time credentials are going to be stored in the logs in plain text format. But first, make sure that set up the InsecureBank server and configure it into the preference settings.
Here we are going to use logcat via adb and we are going to grep for our targeted application.
adb logcat | grep "$(adb shell ps | grep com.android.insecurebankv2 | awk '{print $2}')"
In the above image, we can able to see the credentials in the logs using logcat.
Example 3
The same issue exists at the change password functionality, keep the logcat running, and try to change the password.
We can get the changed password logs which include the old password as well as the new password.
That’s all about testing logs for sensitive data, but remember this example comes in dynamic testing/analysis. If you are interested to do the static analysts for the same please refer MASTG – https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/MASTG-TEST-0003/#static-analysis
I hope you enjoy this article, do comment if I missed anything and you can also suggest me new topics, Thank you!!
