Insecure Data Storage: Insecure Logging & Storage
Before we get started, make sure you have genymotion setup ready. if not follow this guide to setup & configure the genymotion in Linux.
PID Cat
Process ID (PID) Cat is a logcat script which only shows log entries for processes from a specific application package.
Installing PID Cat:
#Download pidcat & make it executable
sudo wget -O /usr/local/bin/pidcat https://raw.githubusercontent.com/JakeWharton/pidcat/master/pidcat.py && sudo chmod +x /usr/local/bin/pidcatTo use PIDCat, you need to pass app identifier which is unique for each application. ex: for whatsapp, com.whatsapp
Now, let us learn how to use this PIDCat for identifying insecure logging.
Launch your preferred device in Genymotion and make sure it is accessible through adb and make sure device is connected to network and ip is assigned.
Before using PIDCat, let us understand the logs using logcat. for that we need to connect to the device by using adb serial connection.
Format of the above log message is as follows:
- The timestamp of the log messages
- The process id of where log messages come from
- The thread id
- Type of Log
Priority value is one of the following character values, ordered from lowest to highest priority:
V — Verbose (lowest priority)*
D — Debug*
I — Info*
W — Warning*
E — Error*
A — Assert(highest priority)5. Service that is pushing the log
6. log details
Now, let us see the same logs using PIDCat to keep it clean which shows only service, type and log.
pidcat -s 192.168.56.101:5555
As we saw, how pidcat simplifies the logs. Let us use pidcat to capture the logs of an application to find sensitive information which are being logged.
we can capture logs of specific application using pidcat by giving the application package name.
pidcat -s 192.168.56.101:5555 com.google.android
The above image consists of the log which has been logged by an application, which shows a bearer token to authenticate the user made to the api by http library.
What can happen here?
If any other application present on the device has “read log” access then they can use this token to act as the legit user.
But Android doesn’t support this permission for use by third-party applications anymore, because Log entries can contain the user’s private information.
Still applications, which are pre-installed/installed on privileged partition or have root access can read this logs.
Can we report this?
No, “Read_Logs” permission is revoked for third-party applications after Android 4.1 and Most applications doesn’t support Android 4.1 or less.
But while dealing with logs, remember to crash the application by closing the emulator or just clear the application by swiping, while capturing the logs.
Sometimes when the application gets crashed mid-way, the application logs a crash dump into a public readable directories ex: Downloads folder
As any application can read from this kind of directories and an application when crashed or willingly creating log files here allows other applications to read the logs which may contain sensitive information logged during the crash.
Finding Files with global read permissions
We will be using rooted android device/emulator for Security testing as it provides access for entire Android system.
Now, Let us list the files present in /data/data using ls -al
Using rooted device allows us to access the files of the apps which are not accessible with non-rooted devices.
we can find public readable files in the privileged directory which has read access for third-party apps by using find
find . -perm -o+r
search for files from the result of above command containing sensitive information and report it (if sensitive information found)
Now, Let us see how applications can access the files and use sensitive information available in that file.
Let us impersonate as a different app and try to access the file created by other application but have public readable files.
Above we have found many files which have public readable access. so let us try to access the file by impersonating as normal application.
we will take one uid from the running process to impersonate and switch our user to the apps user id.
After impersonating, when we try to access the /data/data directory we get permission denied but still we can access the public readable file kal.txt which is present in that privileged directory.
Summary:
As a root, we can see the files created by the application which may contain the sensitive information. so as a root we find the permission of the files created by that application and if it is public readable then we impersonate as different app to show that other apps can access the files created by the application which contains sensitive information.
If application logs sensitive data but are not ready to accept as a valid bug as we accessed it as a root user we impersonate as normal user (other app) to make it valid.
