06. Insecure Data Storage — Part 4

The final tutorial in storage issues, related to External Storage. As the android API describes External Storage may be a SD card or part of android internal storage. The very important point is, it is publicly available and any application with a simple READ_EXTERNAL_STORAGE permission can read the data. Definitely it is not a good place for saving plain text sensitive data.

We start with decompiling the application:

The source code shows DIVA creates a file in the External Storage folder. The External Storage path may vary in every android versions. You may need some Google Search for it. After finding the path you just need to open that file and see what is inside simply.

The Whatsapp saves the database file in the External Storage. But don't worry. It is heavily encrypted. The key file is securely saved in the application folder.

How To Secure

Encryption using Secured key in Key Store.

Final words

We prepared a Step by Step list of Android penetration testing guide based on our own experience here. check for new posts from time to time.

Feel free to add comments to help us improve our posts. by the way, security belongs to everyone.