LAB - Insecure Data Storage
In this lab environment, you will get access to a Debian machine, which has all the required tools installed on it for this lab, along with an Android emulator. To start the Android emulator, run the "startemulator.sh" script present at "/root/Desktop."
Objective: Find and exploit the insecure data storage vulnerability.
The following Android application can be useful:
Salesperson.apk: A "Salesperson" app that stores orders in a world-readable file. (Pre-installed on the emulator.)
Readorders.apk: A malicious app which can read the orders stored by the "Salesperson" app. (Pre-installed on the emulator.)
Tools
adb: Android Debug Bridge is a versatile command-line tool that allows developers and users to interact with Android devices and emulators. It's part of the Android SDK Platform-Tools package and provides a range of functionalities for debugging, testing, and managing Android devices.
Jadx: Jadx is a popular open-source tool used for decompiling and analyzing Android application packages (APKs). It allows developers and security researchers to reverse-engineer APK files to understand their inner workings, extract resources such as source code, images, and other assets, and analyze the app's behavior.
Frist ejecuta the emulator and open the app and test -->
So, i can create an new order and now, i can seach by ID... it smells like IDOR... xd
Now, i extract the apk file
## Search package
adb shell pm list packages -f "salesperson"
## Get APK
adb pull /data/app/com.litesh.salesperson-1n_UBhYLrPkOIsKm5YFQWg==/base.apk /root/Desktop/
The apk file has been decompiled. Now, we can use this jadx-gui tool to perform our further analysis.
Here, navigate to the "Source code" > "com" > "litesh.salesperson" > "MainActivity" file.
We can see the getFilePath method returns a File object pointing to orders.txt inside the public Documents directory on external storage.
Next, the saveOrder method saves a given entry (as a string) to a file named orders.txt in the public Documents directory on external storage.
This code is vulnerable as it stores sensitive data (e.g., order entries) in plain text on external public storage, which is accessible by any app with storage permissions. This exposes the data to unauthorized access, tampering, or leakage, especially if the data contains personal or financial information. Secure storage options like encrypted internal storage or the Android Keystore should be used instead.
First, let's check if we can view the orders.txt file. Open the apps menu and look for the "Files" app.
Select "AOSP on IA Emulator" storage from the hamburger menu.
Then go to the "Documents" directory.
Here, we can find the orders.txt file.
We can see the data in plain text (unencrypted).
Next, we will use the "Readorders" APK to read the data stored by the "Salesperson" app.
Note: The "Readorders" APK is acting as a malicious application which is capable of reading the
orders.txtfile created by the "Salesperson" app.
Open the "Readorders" present on the home screen.
We were successfully able to read the data from the orders.txt file created by the "Salesperson" app.
Now, let's pull this malicious "Readorders" APK and decompile it to analyze the source code.
## Search File
adb shell pm list packages -f "readorders"
## Get File
adb pull /data/app/com.litesh.readorders-E5v_xQq_ETiMXTdsWhRm3A==/base.apk ~
## Read and Open
jadx-gui base.apkNavigate to the "MainActivity" file. The code in the method readOrdersFile tries to read a file named orders.txt from the public Documents directory on the device's external storage. The same location where the "Salesperson" app is storing the orders.txt file.
Last updated