Aditya Udgaonkar

MSC (SS)

19030143011

OWASP Mobile top 10

 Insecure Data Storage

The title says it all, insecure storage of data. Many developers assume that
storing data on client-side will restrict other users from having access to this
data. Interestingly, most of the top mobile application security breaches have
been caused by insecure or unnecessary client-side data storage. File systems
on devices are no longer a sandboxed environment and rooting or jailbreaking
usually circumvents any protections.
Hence this vulnerability is considered as one of the top 10 by OWASP.
 This vulnerability happens when the sensitive data is not stored at a
secure / protected / hidden location and it is available to access or read
to almost everyone.
 Even if the sensitive data is accessed by the attacker, it should be not
readable to the attacker.
 If the hashing or cryptographic algorithms used by the developers are
weak or old, they can be easily decrypted by the attacker. For Eg:
algorithms like Des1, md5 etc which are proven to be broken.
 Even if the developers use strong cryptographic algorithms, the keys
should be stored at a secure location, if the attacker is able to get access
to these keys he can access the data.

In case of Android devices, the attacker can get access to the devices
shell by using third party tools and can view all the directories which app
use to store data. This leads to exploit this vulnerability. We will see this
in the following practical.

 Technical Impacts
Impact of this vulnerability is severe. The attacker can extract and decompile
the app to view the source code and other sensitive file and can obtain the
sensitive data where the app has stored it. It can cause business huge losses;
revenue as well as on the identity of the business. The private data of the
customers can be stolen. The goodwill of the business can be permanently
damaged and this is beyond repairable. Hence it can lead to following four
impacts.
1] Identity theft
2] Privacy violation
3] Fraud
4] Reputation damage

 We will see a practical on how to extract data from sensitive data

stored in XML data stores or manifest file; [ Username and
Password]
Scenario 1
1] First we will install Genymotion which is an android emulator. We will test
this vulnerability on this phone. We will use Santoku operating machine which
is a Mobile Forensics OS to perform the attack on this machine.
2] We will install DIVA [Damn Insecure and Vulnerable Application] on this
Android emulator. On the lesson 3. Insecure Data Storage. We will enter our
credentials and try to find where they are stored inside the app.
3] Now, we will unzip the apk file and store the contents in diva folder.
 Unzip -d diva diva-beta.apk
After unzipping the apk file, we get a dex file called classes.dex; We will now
convert this file into jar file to view the source code.
 d2j-dex2jar classes.dex
After converting it to jar file, we open it with jdgui
 jd-gui classes-dex2jar.jar

3] Now, as we can see various files, we will now navigate to our lesson i.e.
Insecure data storage – 1. After expanding this file we get the following source
code.
4] Here, we can see the ‘saveCrendentials’ parameter. So we now know that
the credentials are stored on SharedPreferences folder on our android device.
5] So now we connect to the shell of our device.
6] Now we navigate to the directory where our apps package is located, i.e.
 cd /data/data
 ls
]
gives us following result
7] Now we navigate to this folder. We find the folder named ‘shared_prefs’.
We enter this directory and open the jakhar.aseem.diva_preferences.xml file.
8] After reading this file we get the following result.
9] Here we can see the username “admin” and password “testpasswrd” stored
in a simple plain text xml file.

Scenario 2:

1] Now we will see how to access insecure data if it is stored in external

storage.
2] We follow the same initial steps as we followed for scenario 1. After
accessing the source code, we see .uinfo.txt hidden file stored in external sd
card.

3] Now we navigate to the external sd card to read the hidden file.

  cd /mnt/sdcard/
 ls -la
 cat .uinfot.txt

 Mitigation
As we just saw how easy was it for the attacker so get access to the sensitive
data which was stored in the plain text. So, to avoid this the sensitive data like
username/passwords should not be stored in client side. It can be stored
through a secure channel like HTTPS in apps server.

Strong Encryption techniques should be used. The Algorithm should be

modern and of latest version with a minimum encryption key of more than 256
bits.
Avoid uses hardcoded cryptographic algorithms which provide same types of
keys and are easily guessable. The keys should be dynamic and very random.