04. Insecure Data Storage — Part 2

As we discussed earlier, storing sensitive data as a plain text is completely insecure. This is the second task that shows data leakage risk in an Android applications.

Lets engage the task. In the front we see a form same as last one that asks for username and password.

If we enter data and click SAVE, The application saves them. Let’s look at code to see hove the application manages saving (use JADX to reverse engineer APK):

Interesting part is saving sensitive data in a database file. That means if we read the database file in application folder, we can find credentials there. lets get the database file:

# db directory: /data/data/jakhar.aseem.diva/databases
# ls the directory
adb shell "ls /data/data/jakhar.aseem.diva/databases"
# getting the db file
adb pull "/data/data/jakhar.aseem.diva/databases/ids2"

after running commands above, you’ll see divanotes.db file in you current path. Use Sqlite Browser to read db file simply.

How To Secure

Use Hashing algorithms like MD5 and SHA1 for 10 times or more. Additionally, encrypt for more security.

Final words

We prepared a Step by Step list of Android penetration testing guide based on our own experience here. check for new posts from time to time.

Feel free to add comments to help us improve our posts. by the way, security belongs to everyone.