Unintended Data Leakage - Leaking content providers

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.

Below is the list of scenarios where unintended data leakage flaws may exist.

• Leaking content providers
• Copy/paste buffer caching
• Logging
• URL caching.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Insecure Bank V2 application.

Steps for Unintended Data Leakage Leaking content providers

1.Get the package name from androidmanifest.xml file of the app.

2.Open drozer on the android mobile.

3.Start the server.

4.Open the terminal and enter adb forward tcp:31415 tcp:31415

5.Now enter drozer console connect

6.On the drozer terminal enter run app.package.attacksurface package_name.

7. You will get if there are any exported content provider.

8.Enter run app.provider.finduri package_name to get the exported content provider name.

9. To get all the data enter run app.provider.query content_provider_name.

Insecure Data Storage Shared Preferences Database

Shared Preferences

Android provides many ways of storing data of an application.

One of this way is called Shared Preferences. Shared Preferences allow you to save and retrieve data in the form of name,value pair.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Sieve application.

Steps for Insecure Data Storage shared preferences database:

1.Get the package name from androidmanifest.xml file of the app.

To get package name of an app use the command

apktool d app_name.apk

2.Open the terminal and enter adb shell.

3.su root.

4.cd data/data/

5.Enter into the directory of the app using the package name.

6.cd package_name.

7.Enter ls

8.Enter into the directory with name shared preferences.

9.Enter ls to view the files in the directory.

10.Open a new terminal.

11.Copy the file from android to your linux with command

adb pull data/data/package_name/Shared_Pref/file_name

12.Open the file in your linux.

13.Search for sensitive data stored in the file.

15.It can include usernames and passwords.
 

Insecure Data Storage SQLite database

Android offers multiple standard facilities for data storage

 1.Shared Preferences

 2.SQLite databases

Each of these storage types can be created and accessed in various ways, including managed and native code, or through structured interfaces like Content Providers.

Developers include plaintext storage of sensitive data, unprotected Content Providers and insecure file permissions.

If an attackers gets access to the android mobile then he can use tools to get such information.

This information can include username,password,credit card no.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Sieve application.

To get the data stored in SQLite database use the following steps:

1.Get the package name from androidmanifest.xml file of the app.

To get package name of an app use the command

apktool d app_name.apk

2.Open the terminal and enter adb shell.

3.su root (if you are not into the shell as root).

4.cd data/data.

5.Enter the directory of the app using cd package_name.

6.Enter ls.

7.Search for a directory with a name SQLite or database.

8.Enter ls to get all the files in the directory.

9.Copy the file from android to appuse

adb pull data/data/package_name/SQLite/file_name

10.To view the data in the file we will use sqlite3 tool. It is included in the Appuse. To use it open a terminal in appuse and enter sqlite3 filename.

11.Enter .tables to get all the tables in the SQLite database.

12. To view all the data in the table enter command select * from table_name;