Monday, 16 December 2013

Pentesting Android Applications Part 2 - M1 Insecure Data Storage(Shared Preferences)

Posted by srini0x00 on 09:03

Introduction

In this series of articles, we will look into some common approaches for Android App penetration testing. Our focus is to cover OWASP Mobile top 10 with various tools and techniques as it is the most common standard that many organizations and security professionals follow.

Below is the TOP 10 list from www.owasp.org
  • M1: Insecure Data Storage
  • M2: Weak Server Side Controls
  • M3: Insufficient Transport Layer Protection
  • M4: Client Side Injection
  • M5: Poor Authorization and Authentication
  • M6: Improper Session Handling
  • M7: Security Decisions Via Untrusted Inputs
  • M8: Side Channel Data Leakage
  • M9: Broken Cryptography
  • M10: Sensitive Information Disclosure 

Insecure Data Storage

Android provides a variety of ways to save persistent application data. Following are the most common ways of storing data by an Android Application. 
  • Shared Preferences
  • Internal Storage
  • External Storage
  • SQLite Databases
  • Network Connection
Device loss is a very common problem with mobile devices. An attacker who has physical access to the device may perform various types of attacks ranging from stealing personal data to theft of corporate sensitive information. Situation could be worse if the device is rooted. 

So, keeping the this fact in mind, if the above mentioned ways for storing data by an application not implemented properly, may lead to serious attacks. In this article, we will look into how one can look into SharedPreferences for sensitive information.

Shared Preferences:

"Shared Preferences" allows a developer to save and retrieve persistent key-value pairs of primitive data types such as booleans, floats, ints, longs, and strings. 

Let us see, how we can test an app to see if it is storing any sensitive information on this device with out proper security enforcement. 

I have developed a very simple app for demo purpose. the functionality of the app is described in later sections. 

You can download it from here.

Once after downloading it, install it onto the emulator as shown below.
I am using adb to do it.

C:\<adb path>adb devices
C:<adb path>adb install M1-SharedPrefs.apk 







As you can see, it has been installed. Now, you should see a new icon on your emulator.

Functionality of test app

Once if you launch the application, you can see three options as shown in Figure 1.3

Figure 1.3
Now, Click the first option and store some sample card details by filling in the details it asks. You can see the same details by clicking "View Card Details" and entering your name. You can clear the data by using "Clear Card Details" Option.
I have entered my details into the app as shown in Figure 1.4
.
Figure 1.4

So, this is the functionality of the app from an end user's point of view. Now, lets go ahead and check how it is storing the data we entered into it.

Get an adb shell on the emulator using the following command.
C:\<adb path>adb shell
Now, navigate to /data/data directory as shown below.
C:\<adb path>cd /data/data

This is where all the user installed applications will be. So, our app will be here in this directory. Let us check it's package name by using ls & grep as shown in Figure 1.5

Now, Navigate into this directory "com.example.m1_shared" and give an ls


We can clearly see, this app has "shared_prefs" directory. So lets get into this directory and open the bankdetails.xml file inside it as shown in Figure .
 As you can clearly see it has the bank details inside it as name value pairs. This is how many apps store their game scores and other interesting stuff. If it contains any sensitive data as shown in the above example, it is pretty easy for an attacker to steal it.

Note: Shared Preferences used to have features called "MODE_WORLD_READABLE" and "MODE_WORLD_WRITABLE" which enable other apps/users to read/modify the app's data. Those features are deprecated from API level 17.

 Please post your comments if you have any queries or suggestions.


Kindly Bookmark and Share it:

0 comments :

Post a Comment

 

Recent posts

Recent Comments

Bookmark & Share