Insecure local storage: Shared preferences

In this article we will learn about Insecure local storage.

Previous Topics Covered[Insecure local storage]:

In the previous article, we discussed the common techniques how app developers check rooted devices and how an attacker can bypass some of the techniques used by developers. In this article, we will discuss the various methods used by Android developers to store data locally and then see how secure these methods are.

Device loss is a very common problem with mobile devices. An attacker who has physical access to a device can gain access to both personal and corporate data stored on the device. The situation could be worse if the device is rooted. Note that if the data storage mechanisms used by the application are not properly implemented, this can lead to serious attacks.

Android Local Data Storage Techniques

Developers can store data in Android apps locally in various ways as listed below.

Shared preferences

Shared preferences are XML files for storing private primitive data in key-value pairs. Data types include booleans, floats, ints, longs, and strings.

SQLite database

SQLite databases are lightweight file-based databases. They usually have the extension “.db” or “.sqlite”. Android provides full support for SQLite databases. The databases we create in the application will be accessible to any class in the application. Other applications cannot access them.

Internal storage

Internal storage is another way we can store files directly on the device. By default, files stored in internal storage are private to your app and cannot be accessed by other apps. When a user uninstalls your app, these files are deleted.

External storage

External storage is a place you can use to store files. This can be removable storage media (such as an external SD card) or internal (non-removable) storage. External SD cards are readable worldwide.

In the next section, we’ll look at how developers can use shared preferences to store data on the device, and then we’ll see how an attacker can also access that data from the device.

Prerequisites for performing the steps:

• A computer with the Android SDK installed
• Rooted mobile device/emulator to install apps

Test the functionality of the application

I developed a test application that demonstrates the problem. You can download the sample application from the download section. After downloading, install the app on your rooted Android device or emulator.

The application can be installed using adb using the following command:

adb install .apk

Figure 1

All the applications have a feature to store data inside the application. When we launch it, it appears as shown in the figure below (Shared Preferences app is used here).

Figure 2

Shared preferences

Start the sharedpreferences application and put some sample data in the username and password fields.

Shared preferences are created in Android applications using the SharedPreferences class. Below is the code section used in the sample application for download.

Figure 3

As we can see in the image above, we created an instance of SharedPreferences and then we use it to insert data into the xml file using the Editor object.

Now let’s go ahead and see where this data is stored in the application.

A common location where shared preferences are stored in Android apps is:

/data/data//shared_prefs/

So let’s walk through and explore the above path to see if there are any shared preferences created in this app.

Figure 4

As we can see in the image above, there is a folder called “shared_prefs”. This is created when an app uses shared preferences in it. We can change the directory to shared_prefs and use the “cat” command to directly see the contents of this application.

If we want to get the xml file to our local machine, we can download the file as below.

Figure 5

As we can see in the above figure, “userdetails.xml” file has been copied onto the local machine. We can now see the contents of the file as shown in Figure 6.

Figure 6

Cracking gaming applications to modify the scores

Most of the games available for mobile platforms are native apps and do not require internet to play them. So it stands to reason that the statistics associated with the game would be stored locally somewhere on the device itself. If we examine the local file system on a rooted device for the files holding these game scores, we can easily edit them and bypass the restrictions.

Let’s take a popular app called StickCricket. This game is very popular on the internet and I personally love it because of the difficulty of getting high scores. Let’s see how we can adjust the score of this app from the backend.

Assumptions

• The device must be rooted
• Droid Explorer file system analysis tool
• ADB access to the device

When we launch the StickCricket app to play, it has an activity that shows the best score so far. Generally it is difficult to get 130+ from 5 overs.

Now, let’s see how we can crack this application to increase the score.

Let’s navigate to the application’s local file system to see the files where the application can store its data. This is shown in the following figure.

We opened an adb shell on the device and then elevated the permissions using the “su” command. Any app installed on an Android device will have all app-specific data in the “/data/data” directory. So we got to /data/data/com.sticksports.stickcricket/.

If we execute the “ls” command here, we can see some directories where the application stores its data. The directory we are interested in is “shared_prefs”. Now go to the shared_prefs directory and see if there are any interesting files in there. This is shown in the image below.

We went to the shared_prefs directory and listed all the files in that directory. There are three XML files in the shared_prefs directory. If we do some analysis on these three files, looking at the contents using the “cat” command, it is obvious that “Cocos2dxPrefsFile.xml” is the file used to store all the scores. Now we need to replace the existing scores in this file with the scores we want.

For this I use a tool called “Droid Explorer” in Windows.

You can download Droid Explorer from their official website: >http://de.codeplex.com/.

Droid Explorer is a nice tool for interacting with your device using Windows Explorer. Its GUI makes our life easier to perform various tasks like moving files from device to computer, uninstalling apps, backup etc.

Below are the steps.

• Connect your Android device to your computer.
• Launch Droid Explorer and navigate to the destination directory.

• Pull the file onto the device and open it in a text editor
  

In the above figure, we have changed the highest score from 129 to 180.

• Now, delete the Cocos2dxPrefsFile.xml file from the Android device using Droid Explorer.

• Push the modified “Cocos2dxPrefsFile.xml” file from the machine to device using DroidExplorer.
• Launch the game again. Now we should be able to see the modified score updated in the application as shown below.

Related Article:Ethical Hacking Interview Questions 2023

Conclusion

In this article, we have seen how shared preferences are implemented in Android apps and what security issues are associated with them if they are not implemented correctly. It is recommended to use available crypto libraries to secure application data. We’ll cover how to use crypto libraries in your Android apps later in this series. In the next article, we will see other ways of storing data in Android apps and the security issues associated with them.