This week, we will be looking at the 3rd Insecure Storage issue and understand its impact on App.

We can see the 3rd part of Insecure Data Storage screen looks same as the previous exercise. New 3rd party service name and password has been entered and saved (username: admin and password123).


Let us walk through the code to understand how the data is stored comparing against the previous exercise.


Open the classes.dex using jadx gui, click on InsecurityDataStorage3Activity under jakhar.aseem.diva.InsecureDataStorage3Activity class. Here the class InsecurityDataStorage2Activity inherits the properties & methods of AppCompatActivity which is another Android class library. There are two methods:


    1. Create
    2. saveCredentials


Figure 4: Source code review

Create method handles creating content view for user to enter data.


Second method saveCredentials saves the user input user/password and saves it to temporary file displaying 3rd party credentials saved successfully. Similar to the previous exercise, error handling takes care of file error related issues and displays a message (if any).


The temporary file is located in “/data/data/jakhar.aseem.diva”. These temporary locations are different for each Android version. So, it’s up to us to find the location.


Figure 5: Directory listing on Temporary file location

Figure 5: Directory listing on Temporary file location


We can see from the source code from saveCredentials method, there is a function “createTempFile”, which takes first two parameters value as “uinfo” and “tmp”. We can safety assume the temporary file starts with word “uinfo” and “tmp” is also used in the file name. Similarly in adb shell directory listing, there is a file listed uinfo2259285420332939749tmp”. This could be our temporary file, let us read the contents:

Figure 6: Temporary file contents (Credentials)

Figure 6: Temporary file contents (Credentials)


We can see the credentials are stored in plain text into temporary file. This is another InsecureStorage vulnerability.



Use any encryption technique with Keystore to ensure it is stored securely. Most insecure storage issues can be mitigated in this way.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch