INSECURE DATA STORAGE 4 - EXTERNAL STORAGE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN3ysPFDiLz71tKNKtTbQ-gbYIMOvFyzCKI9CWL78TjPKjXRWYpCIlFmXgXhGx2AJ03-cD6Vx-LMBzN8gZzBhlbR1mLbvF3IFft3RoDMDfuNW6_eUA1t68o-9wqG_cxHU7to9FSgnsuPpq/s1600/screenshot.1.jpg)
- Connecting from Santoku to Nexus 5 with ADB:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPhk653C14QA8vth06HWnXBRzLa4itaCupLrevAArhsXls8xlPnBjqnB7G9OexQ9Gw-iTW0IdEsuYLhnHoyJgNyT3ta6dIQkIP20bRiI7-iGSeLanLEgnTEoAxE4-6vAsDxFRU1Bfsk6C/s1600/screenshot.2.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz6576UYClMUg7cta6ou1b4_2BoUvAgbjYjq5s8Q3SqaTSvqUZSC2tmqAxes00dFVTBIcf982KByOK3twqTQ7iL_dtaGn3agLL_xOaOhUBWdABnBwwAMuvPD1kq3gxfNLdyr06FLfx173e/s400/screenshot.3.jpg)
- Clicking the tab of the challenge 6:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF7Uwdmk3r8yFnFnkWGabbFcR0iBTOpysivmHfxM47Xbj82W1dLakmKBqI-xmHhdLNocGFV3_FmDfitFl7dDwHlg9h-yDYnnEnZ-1Kyeu5kn7rW8oUOy7i9gCqPHJjQZSONr0CIW_O_w8o/s1600/screenshot.4.jpg)
- The application ask for credentials, username and password, and then saves them:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9Y-drIZWHXforn3jHozQ9Ju4NKwz71OSN_ZCqfSN74HuH3BQ49dFRa40LHQlYW0ts9pQCkMIHp3ONdrwr2oqzG5SvSiprbBufmQyzyojrhFkopkvQBqSx5aalNPCxMhW-5sokV2pB-z4Z/s640/screenshot.5.jpg)
- Examining the Java source code of this challenge, InsecureDataStorage4Activity.java, helps to understand how the application saves the credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrTpYFpYrm2h453I-fjAFsAb66s7cIXpVcfhwDPWQSxkkX0K9LzJliFTupxbeG-OkMTBPzN4G5Xipv2noX2dDtM7E2vpYG3JAKErS0vU3fH6w1dHvMbdHKcDmn0GHY9BluGT_Mv5vKh0yj/s1600/screenshot.6.jpg)
- The method saveCredentials indicates that an external storage directory is used to save the credentials, inside a file called .uinfo.txt. The dot at the beginning of the file means that it is a hidden file, giving it a layer of security:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNFbDWpTyXlwNGIlBCsMD4BNK-PRSOBp4GhUft82iUV2SrQNsq3Nbcmcv3Dp4zGErBh0OQOpp8yNbET9Y2pwrlPMYoZik-m_SZachF_7qB9wOmm44CmlMVr62pSg1lgRPkc3FLIYUOqvPn/s1600/screenshot.10.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixKO3sSmHdlSSqkXQHvhDztwqFtkqsPHD6Oo3KpL4hgZ2t9S5rUeGtSM5_N7_cQRzLivUNb_CAP8pgyrOBmUGdtNxbMU84TbdrbJUflzo7kD1fq3S8_M6jgaSjTrlGDIXjENOa8pFCHSA_/s1600/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdlVqtV6ct78S3mbo6aMlrfXLkzDSvVLw60RhqDp8WHrX__YxSJUOXmpISSBMvsc1qTfqnLzNatGls5Lbz-qT1G1k0mJtj7q6QuAjIyEcyAlwREl-_pRs5VW-HvpLF9dseihe-9FgvQyLQ/s1600/screenshot.9.jpg)
- Looking inside the SD card directory with command ls, nothing interesting is found:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOdqx2Eor2VOrwZgn4o9Rdeuhr9xxdzsN9XBz0BzHadNHpG5Rw3lS2b4o-xbWfQKntWlG60UZaCNxDa1mYxHo4Xi6st7XohX7_us249Q3KtffLH6Ba-Y9n6pSGON58H0UQFKKwwMHNwA0i/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGbPjej3WkpYMgb8EN3RfKA7t2yy6XQBCJWeRhFiyHgTsmDyx9HLEzhXDaIGLFdJJuAfA-MrssKRhc4cOqMIoolaE6RKtCWl5LkWSLZfOOUGzY-6pl9zwg4pLGwqT0P-XfeBsWLuuupuwR/s400/screenshot.12.jpg)
- However, when command ls is run with -la options, it is possible to detect hidden files like .uinfo.txt, starting with a dot:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-bsxyonFmfwGrSnHhOt_l4YcPxQonoz-hptIwfVAmRsarTn113UIRzPyiBUbDiHzPqE-Sz1X9g8AQz4nTxQ8b8-QsO1RIprgeBAxqsG6Mj5yBtrhG3dGfIqikenMmyl4P1dmneIXLY3Dq/s1600/screenshot.13.jpg)
- Openning the content of the file, the credentials are available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglMnZjkqtElSFEeEcEa6phdMeKbyUPztgP-_sHjmOyzvz8GykCVbzHpt5MyBfMyMM_VSW8AsjABTjUjFlbm5J10GWC8O3HMiK5PQeVWSavEWrgeuuE21dxN8uLxxAbGsC-gbgxnQvA9Wmy/s1600/screenshot.14.jpg)