This week, we will be looking at Insecure Storage Hardcoded issue and understand its impact on App. 

The above screen shots show where the user can enter new 3rd party service username and save their password. This exercise is to show how data can be accessed in an app if stored insecurely. The following data was input for the service username and password – Service username: abp service, service password: password123.

Similar to the previous exercise, click on InsecurityDataStorage1Activity under jakhar.aseem.diva.InsecureDataStorage1Activity class. There are two methods:

  1. Create
  2. SaveCredentials

The first method creates the view with edit text and Save button. Once the user enters the 3rd party service username and password, clicking on the ‘Save’ button stores information through the PreferenceManager edit object. 

As per Android developer guide, the term PreferenceManager is “used to help create Preference hierarchies from activities or XML.” This suggests the 3rd party username and password is saved somewhere as .xml in the device. Normally this should have been saved in the app path as described in the Android Developer guide. Now we shall attempt to read the .xml stored in the Android emulator. The following are the list of commands/combination to find the location path and read the file:

Figure 4: Displays 3rd Party Username/Password

Figure 4: Displays 3rd party username/password

As we have run-as “jakhar.aseem.diva” which is the application package name, the system enables you to read the data related to the app (application). The user credentials are stored in plain text without any hashing algorithms which is not safe.

 

Remediation:

The app has to use the latest hashing algorithm or preferably to use any encryption technique with Keystore to remain secure.

 

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
crown commercial service supplier
cyber essentials
iasme consortium
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch