Android Hacking Part 10: insecure Local Storage

Android Hacking Part 10: insecure Local Storage

Let's take a look at other security issues related to local storage in Android.

File Download:

SQLite Database

SQLite is a file-based lightweight database. ". Db" and ". sqlite" are usually used as the extension of their database files. Android provides comprehensive support for SQLite. Databases created by our applications can only be accessed by this application, but cannot be accessed by other applications.

Download the file provided above, install and run it. Then enter some data in the application as we did in the previous issue.

The following code snippet describes how to operate the SQLite database.

First, as soon as the application receives the user name and password entered by the user, the application will open the database, insert data, and then close the database,

For the code snippet that inserts data, we have extended the "SQLiteOpenHelper" class ., We inserted the user input data into the table name saved by the variable "TABLE_NAME.

Now we have figured out how the application inserts data into the data. Now let's take a look at how the data is stored in the application and try to read it out.

Application databases are generally stored in the following places:

/Data/<package name>/databases/<databasename. db>

Now let's go to the above directory to see if the application has created a database.

Like SharedPreferences, we can use adb to download the file to the local device, but this time we change our posture.

This time, we use the "DDMS" feature in Eclipse to extract data from devices. After "DDMS" is enabled in Eclipse, we can do a lot of interesting things.

Ecllispse after DDMS is enabled

 

With DDMS, we can read the files from the device with just a few clicks, instead of hitting the command like using ADB.

In our example, we need to go to the "com. adnroidpentesting. sqlitestorage" directory under "/data. After the directory is expanded, the following files will be displayed. The SQLite file we are interested in is under the "databases" directory. The following PWNSQLITEDATA. db is the file we need. We can download the file to a local computer and perform the following operations.

1. Install the SQLite3 client on your computer

2. Use the following command to connect to the database

Sqlite3 PWNSWLITEDATA. db

3. Run the ". tables" command to list all table names.

4. Use "select * from table_name" to query all data in the table.

For example:

Internal Storage

Another way for Android apps to save data is to use local storage. Open the application, enter the credit card number for testing, and click Save.

The following code snippet shows how an application saves data:

After receiving the application to the user input, save it to the eclipsecret.txt file.

Open ddmsto download the corresponding secret.txt file to the local device.

 

External Storage

SDCARD is also an important place for Android to store APP data. For example, whatsapp stores all its data on SDCARD.

However, developers must note that data on SDCARD can be accessed at will. You can remove the SD card from the device and put it on another device to fully read the data.

The test APP can be connected to the above connection. After installation, enter a test count.

The following is the code snippet used by the app to access the SD card data.

 

User dictionary

Android also provides a feature called "User Dictionary Cache. We can add words to the user dictionary. The next time a user enters a word, a prompt is displayed. If the application allows the user to cache some sensitive information, the information will be stored in a database named "user_dict.db". Any application can be accessed through the Content Provider of the user dictionary.

Another method is to download the database to the local machine and open it with the SQLite client, for example:

 

 

Use the SQLite client to read data from the database.

Summary

In this article, we introduce the implementation of SQLite, local storage, and external storage in Android. We also demonstrate that the data can be easily stolen through physical contact, therefore, it is strongly recommended that developers encrypt the data when storing the following sensitive information.