Android Insecure Data Storage
Android apps usually store data locally on these places:
- Shared preferences
- SQLite databases
- Internal storage
- External storage
The shared preferences are stored in an XML file. They are stored in the app’s data folder under the
SQLite databases are relational files that use a single file for storing data. The SQLite are suited for storing structured data on mobile. The database is only accessible to the app and not outside. To access this data a content provider is used.
Apps can also create folders under the their private folder in
This folder is private to the app and other apps can not access it.
External storage is world readable and writable, any app with the
Insecure Storage Demo
We are going to be using the OWASP Goatdroid Android app for the demo.
Install the Goatdroid Android apk
adb push OWASP\ GoatDroid-\ FourGoats\ Android\ App.apk
Start the server
The Android app connects to a web service. Lets start the web service. Navigate to the folder with unzipped OWASP Goatdroid .
java -jar goatdroid-0.9.jar
- Choose the ‘SDK Path’ under the
- Click the
Web Servicestab and change the HTTP and HTTPs port if required, otherwise leave them on the default.
- Open the the device and on the home screen open the
Settingsand put the IP address and port of the web server
You should now be able to login.
Finding the default login
The app have a default login and its stored insecurely. Lets find out what is the default username and password.
Get a shell to the device
Navigate to the FourGoats data folder
Lets see the different folders for the app :
# ls -l drwxrwx--x u0_a49 u0_a49 2017-01-08 20:45 cache drwxrwx--x u0_a49 u0_a49 2017-01-08 20:45 databases drwxr-xr-x system system 2017-01-08 20:45 lib drwxrwx--x u0_a49 u0_a49 2017-01-08 20:48 shared_prefs
The two interesting folders are
shared_prefs. Lets look into each one of them.
Lets check the files here :
# ls -l -rw-rw-r-- u0_a49 u0_a49 197 2017-01-08 20:48 credentials.xml -rw-rw-r-- u0_a49 u0_a49 148 2017-01-08 20:48 destination_info.xml -rw-rw-r-- u0_a49 u0_a49 140 2017-01-08 20:48 proxy_info.xml
credentials.xml file looks interesting, lets open the file :
# cat credentials.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="password">goatdroid</string> <boolean name="remember" value="true" /> <string name="username">goatdroid</string> </map>
There we have it, lets go and try login with the username and password we have found. Surely the username and password combination works. Alternatively we could have reverse engineered the app and looked at the code and check what happens on login.
Install the Whatsapp Lock app. This apps claim to prevent users snooping on your Whatsapp and Facebook messenger. Try recover the 4 digit PIN for the app.
Set security questions and try to find where the questions are stored and use them to recover the PIN
User dictionary cache
Android have a user dictionary databases thats used to remember frequently typed numbers and words. This dictionary can contain passwords, usernames or PINs
Extract user dictionary
adb pull /data/data/com.android.providers.userdictionary/databases/user_dict.db
Go into the database folder open the
user_dict.db with sqlite3 terminal app or the SQLite data browser.
and show the tables with
sqlite> .table android_metadata words
then select all row from the
select * from words;
Data Acqusition from backups
If the Android device is not rooted you are not out of luck. You can still access the app’s data by performing a backup. The adb tool allows backuping the whole device or a specific app.
Backup the app
Backup the app using its package name
adb backup –f whatsapplock.ab com.whatsapplock
Convert the backup file to tar
We need to convert the
.ab file format to a tar archive. Download the Android Zip Archive from here.
java -jar abe.jar -debug unpack backup.ab backup.tar
We now have a tar archive, let extract it
tar xvf backup.tar
Navigate to the apps folder and they be folder structure as follows :
• _manifest – the AndroidManifest.xml file of the app • db – contains .db files used by the application • f – the folder used to store the files • sp – stores shared preferences XML files • r – holds views, logs, and so on
Go to the
The same shared preference files are all here. And getting the PIN is as simple as printing the contents of the file :
Restoring modified backup
We can change the PIN and put the changed files back.