Search This Blog

Tuesday, 28 July 2015

Android Insecure Data Storage



Insecure Data Storage

One of the biggest concerns for mobile device and application is loss or theft. If a  malicious user obtains a device then it is possible to explore the filesystem and data storage mechanisms.

For this tutorial we will use Appie and the GoatDroid Project. You can install the apk file on your device or emulator. To start the app using Appie simply type 'goatdroid'.



The GoatDroid interface should open up, you can select either of the two apps on the left hand-side, for this tutorial we will use Four Goats. In the main pane select 'start web service'.



Run the ipconfig command on your Appie instance to identify the IP address of your local machine.


Open up the Four Goats application on the device or emulator. Select 'Destination Info' from the dropdown menu, on this page enter the IP address of your local machine, the default port can remain the same.


You should now be able to login to the Four Goats application with goatdroid/goatdroid.


If successful you will see a page similar to below.


In Android application data resides in the /data/data folder. In order to access this folder type 'adb shell' in the Appie command prompt, then SU to get root privilege. Then type 'cd /data/data' to get to the folder, you will see a list of packages. 


Locate the Four Goats package -  org.owasp.goatdroid.fourgoats



Navigate to the shared_prefs folder, you will see a number of files. An obviously interesting file is credentials.xml, use the cat command to view the contents. You can see that the username-password pair is stored unencrypted in this file.



Android Best Practices - OWASP 


  • For local storage the enterprise android device administration API can be used to force encryption to local file-stores using “setStorageEncryption”
  • For SD Card Storage some security can be achieved via the ‘javax.crypto’ library. You have a few options, but an easy one is simply to encrypt any plain text data with a master password and AES 128.
  • Ensure any shared preferences properties are NOT MODE_WORLD_READABLE unless explicitly required for information sharing between apps.
  • Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets.
  • Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system.

No comments:

Post a Comment