AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 6 - Insecure Data Storage 4 - External Storage


INSECURE DATA STORAGE 4 - EXTERNAL STORAGE


- Layout for this exercise:





- Connecting from Santoku to Nexus 5 with ADB:





- Launching the application: 





- Clicking the tab of the challenge 6:



- The application ask for credentials, username and password, and then saves them:




- Examining the Java source code of this challenge, InsecureDataStorage4Activity.java, helps to understand how the application saves the credentials:




- The method saveCredentials indicates that an external storage directory is used to save the credentials, inside a file called .uinfo.txt. The dot at the beginning of the file means that it is a hidden file, giving it a layer of security:








- Looking inside the SD card directory with command ls, nothing interesting is found:






- However, when command ls is run with -la options, it is possible to detect hidden files like .uinfo.txt, starting with a dot:




- Openning the content of the file, the credentials are available: