Android Insecure Data Storage

Android apps usually store data locally on these places:

  • Shared preferences
  • SQLite databases
  • Internal storage
  • External storage

Shared preferences

The shared preferences are stored in an XML file. They are stored in the app’s data folder under the shared_prefs folder.

SQLite databases

SQLite databases are relational files that use a single file for storing data. The SQLite are suited for storing structured data on mobile. The database is only accessible to the app and not outside. To access this data a content provider is used.

Internal storage

Apps can also create folders under the their private folder in /data/data/<package name>. This folder is private to the app and other apps can not access it.

External storage

External storage is world readable and writable, any app with the WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions.

Insecure Storage Demo

We are going to be using the OWASP Goatdroid Android app for the demo.

Install the Goatdroid Android apk

adb push OWASP\ GoatDroid-\ FourGoats\ Android\ App.apk

Start the server

The Android app connects to a web service. Lets start the web service. Navigate to the folder with unzipped OWASP Goatdroid .

java -jar goatdroid-0.9.jar
  • Click Configure
  • Click Edit Configuration
  • Choose the ‘SDK Path’ under the Android tab
  • Click the Web Services tab and change the HTTP and HTTPs port if required, otherwise leave them on the default.
  • Open the the device and on the home screen open the FourGoats app
  • Open Settings and put the IP address and port of the web server

You should now be able to login.

Finding the default login

The app have a default login and its stored insecurely. Lets find out what is the default username and password.

Get a shell to the device

adb shell
cd /data/data/org.owasp.goatdroid.fourgoats/

Lets see the different folders for the app :

# ls -l
drwxrwx--x u0_a49   u0_a49            2017-01-08 20:45 cache
drwxrwx--x u0_a49   u0_a49            2017-01-08 20:45 databases
drwxr-xr-x system   system            2017-01-08 20:45 lib
drwxrwx--x u0_a49   u0_a49            2017-01-08 20:48 shared_prefs

The two interesting folders are databases and shared_prefs. Lets look into each one of them.

cd shared_prefs

Lets check the files here :

# ls -l
-rw-rw-r-- u0_a49   u0_a49        197 2017-01-08 20:48 credentials.xml
-rw-rw-r-- u0_a49   u0_a49        148 2017-01-08 20:48 destination_info.xml
-rw-rw-r-- u0_a49   u0_a49        140 2017-01-08 20:48 proxy_info.xml

The credentials.xml file looks interesting, lets open the file :

# cat credentials.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<string name="password">goatdroid</string>
<boolean name="remember" value="true" />
<string name="username">goatdroid</string>

There we have it, lets go and try login with the username and password we have found. Surely the username and password combination works. Alternatively we could have reverse engineered the app and looked at the code and check what happens on login.

Lab Exercise

  • Install the Whatsapp Lock app. This apps claim to prevent users snooping on your Whatsapp and Facebook messenger. Try recover the 4 digit PIN for the app.

  • Set security questions and try to find where the questions are stored and use them to recover the PIN

User dictionary cache

Android have a user dictionary databases thats used to remember frequently typed numbers and words. This dictionary can contain passwords, usernames or PINs

Extract user dictionary

adb pull /data/data/

Go into the database folder open the user_dict.db with sqlite3 terminal app or the SQLite data browser.

sqlite3 user_dict.db

and show the tables with

sqlite> .table
android_metadata  words

then select all row from the words table

select * from words;

Data Acqusition from backups

If the Android device is not rooted you are not out of luck. You can still access the app’s data by performing a backup. The adb tool allows backuping the whole device or a specific app.

Backup the app

Backup the app using its package name

adb backup –f whatsapplock.ab com.whatsapplock

Convert the backup file to tar

We need to convert the .ab file format to a tar archive. Download the Android Zip Archive from here.

java -jar abe.jar -debug unpack backup.ab backup.tar

We now have a tar archive, let extract it

tar xvf backup.tar

Navigate to the apps folder and they be folder structure as follows :

• _manifest – the AndroidManifest.xml file of the app • db – contains .db files used by the application • f – the folder used to store the files • sp – stores shared preferences XML files • r – holds views, logs, and so on

Go to the sp folder.

cd sp

The same shared preference files are all here. And getting the PIN is as simple as printing the contents of the file :

cat com.whatsapplock_preferences.xml

Restoring modified backup

We can change the PIN and put the changed files back.