Mobile Application Pentesting-Part 3

Piyush Patil
May 18, 2019 · 4 min read

Insecure Data Storage

PART-2

As we discussed earlier, storing sensitive data as a plain text is completely insecure. This is the second task that shows data leakage risk in Android applications.

username=fakeusername

password=fakepassword

Let’s check the code of InsecureDataStorage2Activity.java to know what is happening.

As you can see, username and password are stored in SQL database name “ids2”.

That means if we read the database file in the application folder, we can find credentials there. let’s get the database file:

# database directory: /data/data/<app-package-path>/databases

adb pull “/data/data/jakhar.aseem.diva/databases/ids2”

“ids2” file exists, I don’t know the reason why it is showing the error.

Solution to solve this error:-

adb shell su

cd /data/data/jakhar.aseem.diva/databases

cp ids2 /data/local/tmp

cd /data/local/tmp

chown shell ids2

Let’s see what is inside ids2


Insecure Data Storage

PART- 3

cat InsecureDataStorage3Activity.java

A temporary file uinfo is created, where the credentials coming from the user input are saved:

cat info-419988827tmp


Insecure Data Storage

PART 4

cat InsecureDataStorage4Activity.java

It indicates that an external storage directory is used to save the credentials, inside a file called .uinfo.txt.

If the application uses the READ_EXTERNAL_STORAGE permission, then it can read the external storage from SD card.

If the application uses the WRITE_EXTERNAL_STORAGE permission, then it has also permission to read the external storage from SD card.

adb shell “cat /storage/emulated/0/.uinfo.txt”


Input Validation Issues

Input Validations Attacks are when an attacker purposefully sends strange inputs to confuse an application. Input validation routines serve as the first line of defense for such attacks. Examples of input validation attacks include buffer overflow, directory traversal, cross-site scripting, and SQL injection.

Part 1- SQL INJECTION

Let’s look at the code.

cat SQLInjectionActivity.java

SELECT * FROM sqliuser WHERE user=’admin’;

SELECT * FROM sqliuser WHERE user=’admin’ or ‘a’=’a’- -;

- -==>There is no space between the dash.

- -means consider anything which comes after- -as a comment.


Input Validation Issues

PART 2-Webview based Vulnerability

Webview is a simply browser content being rendered into a mobile application.

As you can see in above image ,google.com is unreachable because the INTERNET permission has not included in the AndroidManifest.xml.

Using the File protocol, access to the uinfo file can be achieved:

file:///sdcard/.uinfo.txt


Input Validation Issues

Part 3- Buffer Overflow

Typing random string “hello” to check what happen.

The application is using JNI (Java Native Interface), what suggests that the method DivaJni is related to a program written in other language.

Now, let’s explore the source code available at the link:

After exploring the source code available at the above link, it is clear that the application is processing user supplied input using strcpy() function.

Lets try giving large input values so buffer will get overflow.

-The problem is that the function strcpy does not check whether the size of the destination’s buffer is large enough to hold the source parameter.

-A consequence of function strcpy bad usage is the corruption of memory or buffer overflow, and eventually the crash of the application.

Piyush Patil

Written by

Reverse Engineering, Penetration Testing( Web, Mobile, IoT, Network, Infra)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade