In this article we will learn about Insecure Local Storage.
What is Insecure Local Storage?
SQLite databases are lightweight file-based databases. They usually have the extension “.db” or “.sqlite”. Android provides full support for SQLite databases. The databases we create in the application will be accessible to any class in the application. Other applications cannot access them.
Install the application listed in the download section and run it. Then enter the sample data into the application as we did in the previous article (Shared Preferences).
The following code snippets show that the sample application stores data in SQLite databases.
First, after receiving the username and password from the user, the application opens the database and inserts the details into the table, and then closes the database. This is shown in Figure 1. The backend logic is shown in Figure 2.
The following image shows the code snippet used to insert data into the application. We have extended the “SQLiteOpenHelper” class for the implementation. As we can see in Figure 2, we put the values taken from the user into a table defined somewhere with the variable name “TABLE_NAME”.
Now that we understand how this application inserts values into the database, let’s see how it is stored in the application and output the data from the database.
A common place where databases are stored in Android apps is:
So let’s walk through and explore the above path to see if any databases are created in this application.
The procedure is the same as for SharedPreferences. So I would like to show another way to download data to the device rather than using ADB.
In this case, we will use a function called “DDMS” in Eclipse to extract the data from the device. We can enable DDMS in Eclipse, which allows us to do a lot of interesting tasks.
After enabling and running, the DDMS window looks like Figure 3.
Instead of typing ADB commands, we can simply pull the files from the device with just a click of the mouse as shown in Figure 3.
In our case we went to “/data/data/” and then to “com.androidpentesting.sqlitestorage”. If we expand this directory, we will see all the files and folders in it. Since we are interested in SQLite files, we went to the “databases” directory where we have the “PWNSQLITEDATA.db” database. We can stretch it on the machine as shown in the image above and then follow the steps below.
Install the SQLite3 client on your computer.
Connect to the database file using the command given below.
List all available tables using the “.tables” command.
Query and display the data using the command below.
select * from table_name;
These steps are illustrated in Figure 4 below.
Internal storage is another way of storing data in Android apps. Launch the application and enter the sample credit card number into the text box and click save.
Below is the code snippet which shows how the application is functioning.
As we can see in the above figure, the application is taking user input (credit card number) and writing it into a file “secret.txt“.
Lets open up DDMS in Eclipse and pull the file onto the machine as we have done in the previous case (SQLIte databases).
Now, we can read the file with the cat utility as shown in Figure 7.
Also Read:Ethical Hacking Interview Questions 2023
SDCARD is another important place in Android where we can store data associated with our applications. Whatsapp is a classic example of SDCARD storage as it stores all its data on SDCARD.
Developers who store data on an SDCARD should be careful, as it is publicly accessible to anyone. We can simply remove the SDCARD from the device and connect it to another device to access the information stored on it.
You can download the sample app from the download section and enter some sample credit card number after installing the app.
Below is the code snippet used to save this credit card number to the SDCARD.
The above code requires “WRITE_EXTERNAL_STORAGE” permission. So, we need to add the below line in the AndroidManifest.xml file.
User Dictionary Cache
In Android, we have a nice feature called User Dictionary. We can add words of interest to the user dictionary, and the application will suggest to use these words the next time we are typing a similar word. If our application allows the users to cache sensitive information, it will be stored in a database named “user_dict.db” which can be accessed by any application using the user dictionary app’s content provider.
Another way to read this is to pull the database file from the device and open it with a SQLite client. This is shown in the figure below.
Figure 10 shows how we can pull the database file from the device.
The above figure shows how one can read the contents from the “user_dict.db” file.
In this article we have seen how data storage techniques like SQLite storage, internal storage and external storage are implemented in Android. We’ve also seen how easy it is to get this data from a device if anyone has physical access to it. So it is strongly recommended that developers have crypto libraries to store sensitive information on the device.