This week, we will be looking at 2nd Insecure Storage issue and understand its impact on the app. 

Insecure Data Storage screen

We can see the 2nd part of the Insecure Data Storage screen looks the same as the previous exercise. The new 3rd party service name and password has been entered and saved (username: root and toor).

Let us inspect the code behind to understand how the data is stored comparing against the previous exercise. Open the classes.dex using jadx gui, click on InsecurityDataStorage2Activity under jakhar.aseem.diva.InsecureDataStorage2Activity class. Here the class InsecurityDataStorage2Activity inherits the properties & methods of AppCompatActivity which is another Android class library. There are two methods available:

  1. Create
  2. saveCredentials

 

The ‘Create’ method declares an object mDB as a private SQLiteDatabase class. An educated guess will lead us possibly to understand that this object will handle DB related actions. Further reading the code we can see the same guess is true. It opens or creates a database based on the name “ids2” this.mDB = openOrCreateDatabase(“ids2”, 0, (SQLiteDatabase.CursorFactory) null);  

Then it creates a table “myuser” if the table does not exist and inserts our user input username and password. 

this.mDB.execSQL(“CREATE TABLE IF NOT EXISTS myuser(user VARCHAR, password VARCHAR);”);

The second method ‘saveCredentials’ takes a parameter of view object which contains the user input username and password and updates the user credentials.

this.mDB.execSQL(“INSERT INTO myuser VALUES (‘” + ((EditText) findViewById(R.id.ids2Usr)).getText().toString() + “‘, ‘” + ((EditText) findViewById(R.id.ids2Pwd)).getText().toString() + “‘);”);

 

Based on exception handling, if no issues, displays user a message “3rd party credentials saved successfully!”. This code walk through has provided ample information that the user’s credentials are stored in database. Let us investigate the database and understand how secure data is stored.

Figure 4 Database Directory listing

Figure 4 Database Directory listing

As I was not able to directly pull the database file, even though I was running my adb shell as ‘jakhar.aseem.diva’ in an unrooted device, I copied the database ids2 file to an SD card and pulled the database file to a local drive.

Figure 5 Copying database ids2 to local drive

Figure 5 Copying database ids2 to local drive

Open the downloaded database in Sqlite, we can see the myuser table and its value username and password in plain text. This is an InsecureStorage vulnerability where password is stored in plain text.

 

Remediation

Use any encryption technique with Keystore to store sensitive / confidential data.

 

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
crown commercial service supplier
cyber essentials
iasme consortium
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch