Mobile Application Pentesting-Part 3
Insecure Data Storage
PART-2
As we discussed earlier, storing sensitive data as a plain text is completely insecure. This is the second task that shows data leakage risk in Android applications.
username=fakeusername
password=fakepassword
Let’s check the code of InsecureDataStorage2Activity.java to know what is happening.
As you can see, username and password are stored in SQL database name “ids2”.
That means if we read the database file in the application folder, we can find credentials there. let’s get the database file:
# database directory: /data/data/<app-package-path>/databases
adb pull “/data/data/jakhar.aseem.diva/databases/ids2”
“ids2” file exists, I don’t know the reason why it is showing the error.
Solution to solve this error:-
adb shell su
cd /data/data/jakhar.aseem.diva/databases
cp ids2 /data/local/tmp
cd /data/local/tmp
chown shell ids2
Let’s see what is inside ids2
Insecure Data Storage
PART- 3
cat InsecureDataStorage3Activity.java
A temporary file uinfo is created, where the credentials coming from the user input are saved:
cat info-419988827tmp
Insecure Data Storage
PART 4
cat InsecureDataStorage4Activity.java
It indicates that an external storage directory is used to save the credentials, inside a file called .uinfo.txt.
If the application uses the READ_EXTERNAL_STORAGE permission, then it can read the external storage from SD card.
If the application uses the WRITE_EXTERNAL_STORAGE permission, then it has also permission to read the external storage from SD card.
adb shell “cat /storage/emulated/0/.uinfo.txt”
Input Validation Issues
Input Validations Attacks are when an attacker purposefully sends strange inputs to confuse an application. Input validation routines serve as the first line of defense for such attacks. Examples of input validation attacks include buffer overflow, directory traversal, cross-site scripting, and SQL injection.
Part 1- SQL INJECTION
Let’s look at the code.
cat SQLInjectionActivity.java
SELECT * FROM sqliuser WHERE user=’admin’;
SELECT * FROM sqliuser WHERE user=’admin’ or ‘a’=’a’- -;
- -==>There is no space between the dash.
- -means consider anything which comes after- -as a comment.
Input Validation Issues
PART 2-Webview based Vulnerability
Webview is a simply browser content being rendered into a mobile application.
As you can see in above image ,google.com is unreachable because the INTERNET permission has not included in the AndroidManifest.xml.
Using the File protocol, access to the uinfo file can be achieved:
file:///sdcard/.uinfo.txt
Input Validation Issues
Part 3- Buffer Overflow
Typing random string “hello” to check what happen.
The application is using JNI (Java Native Interface), what suggests that the method DivaJni is related to a program written in other language.
Now, let’s explore the source code available at the link:
https://github.com/payatu/diva-android/blob/master/app/src/main/jni/divajni.c
After exploring the source code available at the above link, it is clear that the application is processing user supplied input using strcpy() function.
Lets try giving large input values so buffer will get overflow.
-The problem is that the function strcpy does not check whether the size of the destination’s buffer is large enough to hold the source parameter.
-A consequence of function strcpy bad usage is the corruption of memory or buffer overflow, and eventually the crash of the application.
