The OWASP FourGoats application is a demo application and readers might assume that people don't store sensitive information in shared preferences. Let's see a real world example of this vulnerability using an app called WhatsApp lock; this app locks famous apps like WhatsApp, Viber, and Facebook using a PIN.
A screenshot of the main screen is shown following:
www.it-ebooks.info
Let's use the GUI application Droid Explorer to browse and view the /data/data directory of this app.
Following are the steps to pull the shared preference using Droid Explorer:
1. Connect the Android device to the machine.
2. Launch Droid Explorer and browse to the whatsapplock directory:
3. Select the Copy to Local Computer option which is available just above the Help menu. Once copied, open the XML file in any text editor of your choice:
As you can see, the password is in clear text and if you provide the secret question, it shows the password in clear text.
[ 147 ]
This application also has a PIN recovery feature to recover forgotten PIN numbers.
However, you need to provide the answer to the secret question. The secret question and its answer are again stored conveniently in the shared_prefs XML file.
As you can see, once you provide the answer to the secret question, it shows the current PIN used by the application.
SQLite databases
SQLite databases are light weight file based databases. They usually have the extension .db or .sqlite. Android provides full support for SQLite databases.
Databases we create in the application will be accessible to any class in the application. Other apps cannot access them.
www.it-ebooks.info
The following code snippet shows a sample application storing username and password in an SQLite database user.db:
String uName=editTextUName.getText().toString();
String passwd=editTextPasswd.getText().toString();
context=LoginActivity.this;
dbhelper = DBHelper(context, "user.db",null, 1);
dbhelper.insertEntry(uName, password);
Programmatically, we are extending the SQLiteOpenHelper class to implement the insert and read method. We are inserting the values from the user into a table called USER:
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteDatabase.CursorFactory;
import android.database.sqlite.SQLiteOpenHelper;
public class DBHelper extends SQLiteOpenHelper {
String DATABASE_CREATE = "create table"+" USER "+"(" +"ID "+"integer primary key autoincrement,"+
"uname text,passwd text); ";
public SQLiteDatabase db;
public SQLiteDatabase getDatabaseInstance(){
return db;
}
public DBHelper(Context context, String name,CursorFactory factory, int version){
super(context, name, factory, version);
}
public void onCreate(SQLiteDatabase db){
db.execSQL(DATABASE_CREATE);
}
public insertEntry(String uName,String Passwd){
ContentValues userValues = new ContentValues();
[ 149 ] userValues.put("uname", uName);
userValues.put("passwd",passwd);
db.insert("USER",null,userValues);
} }
Equipped with this information, let's go ahead and see how it is being stored on the file system. The location where databases are stored in Android apps is as follows:
/data/data/<package name>/databases/<databasename.db>
So, let's navigate and inspect the above path for our application to see if there are any databases created in this application. The procedure is the same as
SharedPreferences, either you can pull the file using the adb pull command or use Droid Explorer on your desktop.
In my case, I have navigated to /data/data/com.example.sqlitedemo, then into databases/ where we have the database user.db. We can pull it onto the machine, as shown in the previous screenshot and then carry out the following steps:
1. Pull the user.db file using Droid Explorer.
2. Open SQLite browser and drag and drop the user.db file onto the browser window.
3. Browse and view the data by double clicking:
www.it-ebooks.info
As you can see, user.db is used to store the username and password by the android application.
Internal storage
Internal storage is yet another way of storing data in Android Apps, usually in the file directory under /data/data/<app name>.
The following code shows how the internal storage is used to store the private key of an application, which it is used to store and send credit card and SSN numbers of a user:
org.bouncycastle.jce.provider.BouncyCastleProvider());
// Generate public & private keys
[ 151 ] fos.close();
}
catch (FileNotFoundException e){
e.printStackTrace();
}
catch (IOException e){
e.printStackTrace();
} }
catch (Exception e) { System.out.println(e);
} }
As we can see in the previous screenshot, the private key is being stored insecurely in the private.key file under files.
Let's open up Droid Explorer (or use adb pull command) and copy the private key from the device to the machine and open it up in a text editor:
www.it-ebooks.info
External storage
Another important storage mechanism in android is SDCARD or external storage where apps can store data. Some of the well-known applications store their data in the external storage. Care should be taken while storing data on SDCARD as it's world writable and readable or better yet simply remove the SDCARD from the device. We can then mount it to another device, for us to access and read the data.
Let's use the earlier example and instead of storing it in the internal storage, the application now stores it on the external storage, that is, the SDCARD:
String publicKeyFilename = public.key;
org.bouncycastle.jce.provider.BouncyCastleProvider());
// Generate public & private keys
[ 153 ]
As we can see, this app uses Environment.getExternalStorageDirectory() to save the private key in the vulnapp directory of SDCARD. So any malicious app can read this key and send it to some remote server on the Internet.
In order for the app to have access to external storage, the preceding code requires WRITE_EXTERNAL_STORAGE permission in the AndroidManifest.xml file:
<uses-permission android:name="android.permission.WRITE_EXTERNAL_
STORAGE"/>
www.it-ebooks.info