Introduction
In this series of articles, we will look into some common approaches for Android App penetration testing. Our focus is to cover OWASP Mobile top 10 with various tools and techniques as it is the most common standard that many organizations and security professionals follow.
Below is the TOP 10 list from www.owasp.org
M1: Insecure Data StorageM2: Weak Server Side ControlsM3: Insufficient Transport Layer ProtectionM4: Client Side InjectionM5: Poor Authorization and AuthenticationM6: Improper Session HandlingM7: Security Decisions Via Untrusted InputsM8: Side Channel Data LeakageM9: Broken CryptographyM10: Sensitive Information Disclosure
Insecure Data Storage
Android provides a variety of ways to save persistent application data. Following are the most common ways of storing data by an Android Application.
Shared PreferencesInternal StorageExternal StorageSQLite DatabasesNetwork Connection
Device loss is a very common problem with mobile devices. An attacker who has physical access to the device may perform various types of attacks ranging from stealing personal data to theft of corporate sensitive information. Situation could be worse if the device is rooted.
So, keeping the this fact in mind, if the above mentioned ways for storing data by an application not implemented properly, may lead to serious attacks. In this article, we will look into how one can look into SharedPreferences for sensitive information.
Shared Preferences:
"Shared Preferences" allows a developer to save and retrieve persistent key-value pairs of primitive data types such as booleans, floats, ints, longs, and strings.
Let us see, how we can test an app to see if it is storing any sensitive information on this device with out proper security enforcement.
I have developed a very simple app for demo purpose. the functionality of the app is described in later sections.
You can download it from here.
Once after downloading it, install it onto the emulator as shown below.
I am using adb to do it.
C:\<adb path>adb devices
C:<adb path>adb install M1-SharedPrefs.apk
As you can see, it has been installed. Now, you should see a new icon on your emulator.
Functionality of test app
Once if you launch the application, you can see three options as shown in Figure 1.3
Figure 1.3
Now, Click the first option and store some sample card details by filling in the details it asks. You can see the same details by clicking "View Card Details" and entering your name. You can clear the data by using "Clear Card Details" Option.
I have entered my details into the app as shown in Figure 1.4
.
Figure 1.4
So, this is the functionality of the app from an end user's point of view. Now, lets go ahead and check how it is storing the data we entered into it.
Get an adb shell on the emulator using the following command.
C:\<adb path>adb shell
Now, navigate to /data/data directory as shown below.
C:\<adb path>cd /data/data
This is where all the user installed applications will be. So, our app will be here in this directory. Let us check it's package name by using ls & grep as shown in Figure 1.5
Now, Navigate into this directory "com.example.m1_shared" and give an ls
We can clearly see, this app has "shared_prefs" directory. So lets get into this directory and open the bankdetails.xml file inside it as shown in Figure .
As you can clearly see it has the bank details inside it as name value pairs. This is how many apps store their game scores and other interesting stuff. If it contains any sensitive data as shown in the above example, it is pretty easy for an attacker to steal it.
Note: Shared Preferences used to have features called "MODE_WORLD_READABLE" and "MODE_WORLD_WRITABLE" which enable other apps/users to read/modify the app's data. Those features are deprecated from API level 17.
No comments:
Post a Comment