03. Insecure Data Storage — Part 1

Storing important data like password and credit card number needs a secure mechanism. Ordinarily, Developers use file, database or saved setting to store these kind of data. This works on website, server based application and sometimes on mobile application but not always. Suppose another application has root access to device, the application can read every file or database in the device including sensitive data.

In the 3th task of DIVA application we face a form. It asks for username and password to save. Lets enter some random data.

To see how the applications saves the data,we need to decompile the following class in the application:

jakhar.aseem.diva.InsecureDataStorage1Activity

As the code shows, DIVA uses PreferenceManager to save plain sensitive data. PreferenceManager saves data in a XML file located in application path. Any application that has a root access can read those sensitive data.

/data/data/<APPLICATION NAME>/shared_prefs/*.xml

How To Secure

You should use Hashing algorithms like MD5 and SHA1 for 10 times or more to prevent storing plain text sensitive data. In addition, I prefer using secure encryption techniques and Key Store for more security.

Final words

We prepared a Step by Step list of Android penetration testing guide based on our own experience here. check for new posts from time to time.

Feel free to add comments to help us improve our posts. by the way, security belongs to everyone.