top of page
Search

External Insecure Data Storage in Android

  • Writer: Abhilasha
    Abhilasha
  • Jul 12, 2024
  • 1 min read

Overview:

  • Android provides options to save persistent application data, including external storage locations like SD cards.

  • Files saved to external storage prior to Android 4.1 are world-readable, and before Android 1.0, they are world-writable.

  • From Android 1.0 to 4.3, the WRITE_EXTERNAL_STORAGE permission allows apps to write to any external storage file.

  • Starting with Android 4.4, file access permissions are based on directory structure, isolating apps from accessing each other's primary external storage spaces.

Key Points:

  1. External Storage Examples:

  • Micro or standard SD cards internal to the device.

  • Android device storage mounted to a PC.

  • The Android/obb directory.

  1. Security Risks:

  • Files on external storage can be modified or read by other apps or users.

  • Sensitive data should not be stored on external storage without encryption.

  1. Common Vulnerabilities:

  • Apps sometimes store sensitive data without encryption.

  • Sensitive information like shared preferences, databases, and temporary files might be stored on external storage.

Example Vulnerability Analysis:

  1. Code Review:

  • Developers might use Environment.getExternalStorageDirectory() to reference external storage.

  • Example code shows creating a file uinfo.txt in external storage: File localFile2 = new File(localFile1.getAbsolutePath() + "/.uinfo.txt");.

  1. Exploitation Steps:

  • Use ADB (Android Debug Bridge) to navigate to the app's external storage directory.

  • Hidden files can be listed using ls -a and viewed using cat ./uinfo.txt to extract sensitive information like usernames and passwords.

Practical Steps to Identify Insecure Storage:

  1. Check Source Code:

  • Identify where data is being saved using external storage references.

  1. Use ADB Commands:

  • Navigate to the external storage directory.

  • List files using ls -a to find hidden files.

  • View file content with cat to extract and analyze sensitive data.

By understanding these practices, you can better identify and mitigate risks associated with external data storage in Android applications.

 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comentarios

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page