INSECURE DATA STORAGE 2 - LOCAL DATABASES
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN3ysPFDiLz71tKNKtTbQ-gbYIMOvFyzCKI9CWL78TjPKjXRWYpCIlFmXgXhGx2AJ03-cD6Vx-LMBzN8gZzBhlbR1mLbvF3IFft3RoDMDfuNW6_eUA1t68o-9wqG_cxHU7to9FSgnsuPpq/s1600/screenshot.1.jpg)
- Connecting from Santoku to Nexus 5 with ADB:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPhk653C14QA8vth06HWnXBRzLa4itaCupLrevAArhsXls8xlPnBjqnB7G9OexQ9Gw-iTW0IdEsuYLhnHoyJgNyT3ta6dIQkIP20bRiI7-iGSeLanLEgnTEoAxE4-6vAsDxFRU1Bfsk6C/s1600/screenshot.2.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz26LudzftvVhlVECnYZvnq2eZHOOhCD0Ku501fUdU0VM2la60N2SRK0UcblEUUP2u7NKDULpBFOE4H4eZbq09qhg1-k-HFMB1AvTWLoaymRoY21KQJ5kMcplr3hUecqXdIup0YuKXvHjT/s400/screenshot.3.jpg)
- The fourth challenge is based on the fact that some applications store sensitive information in local databases.
- Clicking the challenge 4 tab:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ3OpbadiXjL7D2h-FZS-1ZnndKDU0hQcejkPwAU_dRax4u-mfz2hllLE_umTcKTgejFb14edmT2sJZQWeJJVC3qA_0dXo1P9jjVFdMfZ8_wV_761mno0xm0vNluo8FU-24WirdOafGoXf/s400/screenshot.4.jpg)
- The application prompts the user for credentials (username + password) to be saved.
- In this example, let's introduce these simple credentials:
username: Alice
password: PasswordForAlice
- The applications displays a message stating that the credentials have been successfully saved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEituVrmBF2B0TDrB3vTupdkflkNZoM7mgtuQcxq1No0coPCcEERXrRbT8x7G1NTsgsYYM9hlEf7OLoLwKsHF3w-8u3ss_cT4v3ccJsPB12h1YdvKvpXOhXTdaoAxfNemi2s4aE4xquzQfIS/s1600/screenshot.5.jpg)
- Searching inside the package jakhar.assem.diva, there is a folder named databases:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmwyLROiDHHEh_orOd0AJnKpQv1T43MI5gOOIh8lbf0NLfu_QR4dTMdcz1geTLwnzh-bWOjkZyVAPdXUhlCm1INagelUAN-EhuyUXXz5QsxMZeL_2CrWD9-awXlxEM5j2geZMfg6F2XRdi/s1600/screenshot.6.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSCDOKyLbLuJZa1VbeUEQONemF5NJL9xQythYhQ6zEn7zVhbDibaV7wbj0Eb6mljXpg02Pi85pA1gHwycTg9MrBVgVv6gDrMJaW5utMxmix657GcZVdjUp0wFqCV-xBTNmnNTBNYzPxiyI/s1600/screenshot.7.jpg)
- Opening the folder, there are a number of different databases. We could try any of them until finding interesting information. However, for the sake of simplicity, let's go directly to ids2:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYxuF9qP8NYXJ2VZ3q1qbTQVWIAbip3wSi3n-UHhPT67t-aCwi6xJbrIGePccPUdjhAE3-3xUecaFxgclT7tQwkh-gb87732zcRXiclWmZ1-ihbp-hOb9WY0TPMsBDNeNBhsX501fD3ua9/s1600/screenshot.4.jpg)
- Android uses SQlite database management system:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHfhHFoYzcQfeAjXIak4X07URJhDDqY3o1gQaSYy_B55OmOo0TlLJ-PJklht5ik1bgNT9I4jo_0ysWP3ZJb8RfJEg1X3okDW7-X-17guwoS-5TwhC1M3QXhb8omO259jbd0sKTMHaEVckH/s1600/screenshot.8.jpg)
- There are 2 tables inside the ids2 database:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8WQ63M9CTHLmRzy83qN3_9XoWQHbgvpmahSH8oVkvEcFj8T-4fj9Rm8TNOWJNMHIlpZKV10TJFOpytCUCV7_YgQSJSjUFXjHHv8p6dT7QinGR4iOH1aUPx79IUTW-91MBSaU_ATZqo0jO/s400/screenshot.9.jpg)
- Selecting everything from the table myuser, we find the credentials introduced by the user:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEIfA0UJ6BdjKYfS7tQgeJ3AsqvGhst2FAj3dbeyrdFuh1PhAsBgT3gIY1ONRtc3RExkmw7U9LTN_GWf-tGnavzy4eO-Wpz0F_3hH3eOPSK35KkvVmKogAYKUx-HCc7op1304BSLWsqA3T/s400/screenshot.10.jpg)