Saturday, December 31, 2016

ANDROID PT - DIVA / 6 - Insecure Data Storage 4 - External Storage


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application: 

- Clicking the tab of the challenge 6:

- The application ask for credentials, username and password, and then saves them:

- Examining the Java source code of this challenge,, helps to understand how the application saves the credentials:

- The method saveCredentials indicates that an external storage directory is used to save the credentials, inside a file called .uinfo.txt. The dot at the beginning of the file means that it is a hidden file, giving it a layer of security:

- Looking inside the SD card directory with command ls, nothing interesting is found:

- However, when command ls is run with -la options, it is possible to detect hidden files like .uinfo.txt, starting with a dot:

- Openning the content of the file, the credentials are available: