1
00:00:01,720 --> 00:00:06,880
So in this video we're gonna take a look at insecure data storage so there's a lot of different ways

2
00:00:06,880 --> 00:00:12,330
to try to store data in Android applications and a lot of them may appear secure on the surface.

3
00:00:12,370 --> 00:00:16,440
However with the proper permissions and setups you will be able to gain access to them.

4
00:00:16,450 --> 00:00:21,580
As someone who is not supposed to gain access to them which in turn can mean that you can compromise

5
00:00:22,090 --> 00:00:26,350
sensitive data either from the user or from the developers themselves.

6
00:00:26,350 --> 00:00:32,050
So this is sort of a two sided vulnerability intensive like getting user data.

7
00:00:32,050 --> 00:00:38,490
It's a bit of a weaker vulnerability because it requires access to be able to access most of these files.

8
00:00:38,560 --> 00:00:43,750
There may be ways however to get access to these files without permissions and that would be an indication

9
00:00:43,750 --> 00:00:44,890
of a vulnerability.

10
00:00:44,890 --> 00:00:50,530
However if there's specific like developer secret data inside of these files and we're able to access

11
00:00:50,530 --> 00:00:55,000
them then this would be a vulnerability whether or not we have access because we shouldn't be able to

12
00:00:55,000 --> 00:01:00,730
get access to those sort of secret data pieces such as api keys and passwords and that sort of good

13
00:01:00,730 --> 00:01:01,740
stuff.

14
00:01:01,750 --> 00:01:06,490
So in this video we'll take a look at a few different types of vulnerabilities like this.

15
00:01:06,490 --> 00:01:10,280
So the first one is the encrypted your data storage part one.

16
00:01:10,420 --> 00:01:16,850
With this we can enter in say a user name and a password and we can save it onto our device.

17
00:01:16,870 --> 00:01:21,160
So we enter the username and password and then we hit safe and it will say third party credentials saved

18
00:01:21,160 --> 00:01:22,840
successfully.

19
00:01:22,850 --> 00:01:24,300
We take a look at the code for this.

20
00:01:24,310 --> 00:01:29,440
We can see that when we see the credentials it's using what's called a shared preference.

21
00:01:29,440 --> 00:01:35,170
Now with shirt preferences they're essentially specific type to the files that exists in a like in a

22
00:01:35,170 --> 00:01:39,960
standard directory and these files will be able to store different pieces of information in them.

23
00:01:39,970 --> 00:01:45,120
And the idea is that when we're trying to access data we can access it from a known location.

24
00:01:45,130 --> 00:01:50,170
That is a sort of local to the application and not accessible unless you have permissions.

25
00:01:50,170 --> 00:01:54,820
This works very well for trying to store data that isn't sensitive so I don't I would just like data

26
00:01:54,820 --> 00:01:59,860
that's generally used by the application maybe like locations of images or like a set of questions like

27
00:01:59,860 --> 00:02:01,570
a survey or something like that.

28
00:02:01,600 --> 00:02:06,040
These sort of things wouldn't be sensitive because they're accessible by the user through the application.

29
00:02:06,040 --> 00:02:10,780
However if we can access something that isn't accessible to the user through the application this would

30
00:02:10,780 --> 00:02:13,660
be an instance of information disclosure.

31
00:02:13,660 --> 00:02:17,510
So how do we gain access to these shared preferences folder.

32
00:02:17,650 --> 00:02:24,820
What I'm going to do is I'm going to go ahead and shell into my device and when I challenge my device

33
00:02:24,850 --> 00:02:28,680
I'm going to go ahead and make myself a super user using the s you command.

34
00:02:29,020 --> 00:02:33,460
And then what we're gonna do is we're gonna see into the Data folder and then inside of here there's

35
00:02:33,460 --> 00:02:34,900
another data folder.

36
00:02:34,900 --> 00:02:40,420
So we're a data slash data and inside of here you'll see data for all of the applications that are on

37
00:02:40,420 --> 00:02:41,620
your device.

38
00:02:41,620 --> 00:02:44,780
So all of these applications have data associated with them.

39
00:02:44,800 --> 00:02:47,710
This one right here is the folder associated with diva.

40
00:02:47,710 --> 00:02:50,800
The name will always match the name of the application itself.

41
00:02:50,830 --> 00:02:56,980
So we can C.D. into that folder you'll see inside of here we have a few different options you have the

42
00:02:56,980 --> 00:02:57,480
cash.

43
00:02:57,490 --> 00:03:02,260
We have the code cache we have databases we have the libraries and then we have our shared preferences

44
00:03:02,830 --> 00:03:06,010
the shared preferences is where we save all the data that's ready.

45
00:03:06,040 --> 00:03:09,310
Using this shared preferences object.

46
00:03:09,340 --> 00:03:09,840
Right.

47
00:03:09,850 --> 00:03:13,560
So anytime that we do this we're gonna be saving it that shared preferences folder.

48
00:03:13,560 --> 00:03:19,610
So now if I C.D. into shared preferences you'll see that we have this single excel file.

49
00:03:19,920 --> 00:03:23,940
And if I use the cat command I can see what's inside of that file.

50
00:03:23,980 --> 00:03:27,280
I mean alternatively you could also pull it off the device and read it.

51
00:03:27,280 --> 00:03:32,870
But on the cat command allows you to see it quickly and as you can see it stores the user name and password

52
00:03:32,920 --> 00:03:34,060
that we typed in.

53
00:03:34,060 --> 00:03:37,440
So whatever we type in inside of there will be what's stored here.

54
00:03:37,450 --> 00:03:41,110
So for instance I might change this to password one for instance and save it.

55
00:03:41,500 --> 00:03:47,330
Then we should see that this will change to password one which you can see right here.

56
00:03:47,650 --> 00:03:52,180
So you can see that this would be considered insecure data storage because I can gain access to it just

57
00:03:52,180 --> 00:03:53,790
by having a routed device.

58
00:03:53,860 --> 00:03:58,410
The fact that I have a good device is sort of irrelevant to my like ability to access this data.

59
00:03:58,420 --> 00:04:01,660
I shouldn't be able to get usernames and passwords whether I read it or not.

60
00:04:01,660 --> 00:04:05,870
So this would be an example of insecure data storage.

61
00:04:06,010 --> 00:04:06,310
Right.

62
00:04:06,310 --> 00:04:09,910
And then you can go into like the other pieces like you know the password really should be hashed or

63
00:04:09,910 --> 00:04:11,000
something like that.

64
00:04:11,530 --> 00:04:15,970
In this sense it really doesn't matter of a task or not because you can all find brute force that password

65
00:04:16,000 --> 00:04:20,260
and potentially gain access to it and you'd know how it's hash based on the the code.

66
00:04:20,260 --> 00:04:23,980
Since we have access to the code we have access to the password hash.

67
00:04:24,070 --> 00:04:29,380
Therefore on hashing the password or finding the house that corresponds to that password wouldn't necessarily

68
00:04:29,380 --> 00:04:31,930
be hard and thus the password is extremely long.

69
00:04:31,930 --> 00:04:36,130
But there are certain instances where it could be like a weak password you might be able to compromise

70
00:04:36,130 --> 00:04:37,000
it and gain access.

71
00:04:37,000 --> 00:04:42,250
So this is something to know about these shared access points is that they are accessible by users.

72
00:04:42,250 --> 00:04:48,130
So we really should be favoring things like online servers if we can or sort of hardening these down

73
00:04:48,220 --> 00:04:52,540
like password protecting the files or password protecting a database for instance.

74
00:04:52,540 --> 00:04:58,250
And speaking of databases we could take a look at database storage as well so let's go ahead and I'll

75
00:04:58,330 --> 00:05:03,110
go back here and we have a second insecure data storage.

76
00:05:03,160 --> 00:05:10,060
So in this one again I can put in my username and password and again when I do this I can save it and

77
00:05:10,060 --> 00:05:12,230
it will save it successfully.

78
00:05:12,280 --> 00:05:18,640
So if we take a look at the code here you can see that we're inserting the data into a mine into a secret

79
00:05:18,640 --> 00:05:19,460
light database.

80
00:05:19,470 --> 00:05:20,490
Right.

81
00:05:20,530 --> 00:05:24,940
So in general most databases that you work with through Android are going to be sequel lite but you

82
00:05:24,940 --> 00:05:29,860
can also tell that because of the import up here that's a sequel like database that exposes what kind

83
00:05:29,860 --> 00:05:31,750
of database is being used.

84
00:05:31,810 --> 00:05:35,980
So you can see that this information is being saved to some sort of database and we can ask well where

85
00:05:35,980 --> 00:05:37,300
can we find that database.

86
00:05:37,300 --> 00:05:38,870
Right.

87
00:05:39,400 --> 00:05:43,920
And the answer is if we see the upward directory we'll see this folder called databases.

88
00:05:44,040 --> 00:05:48,580
If we go into the databases folder we can see that there's a bunch of different databases that exists

89
00:05:48,580 --> 00:05:49,470
inside of here.

90
00:05:49,480 --> 00:05:53,340
Now we want to determine which of these databases is the correct one.

91
00:05:53,920 --> 00:05:58,990
And we really just have to sort of look at the different things that are available here you'll see open

92
00:05:58,990 --> 00:06:01,260
or create database I.D. too.

93
00:06:01,300 --> 00:06:04,960
This tells us that the I.D. to database is the one that we're likely looking for.

94
00:06:04,960 --> 00:06:09,660
So what I can do is I can see sequel like three I.D. two.

95
00:06:10,430 --> 00:06:14,940
And as you can see this opens up the I.D. to database inside of sequel light.

96
00:06:15,670 --> 00:06:19,870
And then from here you can type in a command like dot tables and that'll show you the tables that exist

97
00:06:19,870 --> 00:06:26,320
in the database and then we can do just like a simple select star from my user and you can see it exposes

98
00:06:26,350 --> 00:06:29,110
any users that were input it into this input field right.

99
00:06:29,110 --> 00:06:32,910
So I did the test one earlier username and password was the one that I just did.

100
00:06:32,920 --> 00:06:36,900
So you can see that this very easily exposes the user.

101
00:06:36,910 --> 00:06:42,640
So again since I can access this data it isn't considered to be a secure data storage method because

102
00:06:42,850 --> 00:06:48,130
even though I have access doesn't really mean much if I can access the data still you know whether you

103
00:06:48,130 --> 00:06:52,120
can access it with route whether you can access it without it you're still able to access sensitive

104
00:06:52,120 --> 00:06:53,680
data which you shouldn't be able to do.

105
00:06:53,710 --> 00:06:58,240
So this is something that we need to consider as well is that these databases if they aren't properly

106
00:06:58,240 --> 00:07:00,800
secured could be compromised.

107
00:07:00,910 --> 00:07:03,770
The proper thing to do here is to use a library.

108
00:07:03,790 --> 00:07:09,610
There are a few like a sequel cipher for instance I think is one that's available for Android and what

109
00:07:09,610 --> 00:07:14,500
they'll do is they'll password protect these databases for you through like an encrypted process.

110
00:07:14,560 --> 00:07:19,240
So any time that we need to access it it needs to sort of like decrypted and then run our queries and

111
00:07:19,240 --> 00:07:20,610
then encrypted again.

112
00:07:20,620 --> 00:07:24,200
So if this is done then we tried to access it to the sequel like three command.

113
00:07:24,210 --> 00:07:27,860
We won't be able to we have to actually crack the encryption on the database.

114
00:07:28,070 --> 00:07:33,360
And if that encryption is sufficiently strong then it would be a much more secure data storage than

115
00:07:33,360 --> 00:07:35,880
just storing stuff in plain text out in the open.

116
00:07:35,910 --> 00:07:36,710
Right.

117
00:07:36,810 --> 00:07:41,070
So this is another thing to consider and this is even before we consider the fact that it looks like

118
00:07:41,100 --> 00:07:44,340
this could easily be like a victimize of sequel injection.

119
00:07:44,340 --> 00:07:44,610
Right.

120
00:07:44,610 --> 00:07:49,500
You could probably do sequence action because you just can count naming stuff into it but that will

121
00:07:49,500 --> 00:07:52,670
be something for another lesson anyhow.

122
00:07:52,710 --> 00:07:52,950
Yeah.

123
00:07:52,980 --> 00:07:57,900
So this would be another example of some insecure data storage is if we store things in these databases

124
00:07:57,900 --> 00:08:05,190
that are available to us a really user can still gain access to them and potentially get to those credentials.

125
00:08:05,220 --> 00:08:11,370
Now the third type of insecure data storage is sort of like a more generic type of insecure storage.

126
00:08:11,400 --> 00:08:16,800
Again it's the same sort of structure where we have user name and we have password.

127
00:08:17,160 --> 00:08:20,310
And again we can save it and get the credential safe successfully.

128
00:08:20,550 --> 00:08:24,350
But if we take a look at this really all this does is it creates a temp file.

129
00:08:24,420 --> 00:08:28,860
You see it has you info in front of it and it sets it to readable and write a book and then it writes

130
00:08:28,860 --> 00:08:31,020
in the username and password and saves it.

131
00:08:31,140 --> 00:08:37,080
So when this sort of thing happens we're essentially saving it local to that data folder and you can

132
00:08:37,080 --> 00:08:37,890
tell that because.

133
00:08:37,940 --> 00:08:40,980
So it's got application info data after data.

134
00:08:40,980 --> 00:08:44,500
There is this data directory that we're currently inside of.

135
00:08:44,520 --> 00:08:50,820
So when we do this you'll be able to see that I can let's quit out of sequel light and if I see up one

136
00:08:50,820 --> 00:08:55,110
directory you'll see this you info temp folder that's now been created.

137
00:08:55,230 --> 00:09:02,010
And again I can simply just cut that folder and you'll get user name and password rate so you can see

138
00:09:02,010 --> 00:09:08,070
that it again just the data in plain text even though it's in a directory that can only be accessible

139
00:09:08,070 --> 00:09:11,160
by route the data is still up there and accessible.

140
00:09:11,160 --> 00:09:12,480
So you can still get access to it.

141
00:09:12,510 --> 00:09:17,670
So this gives you a good idea of the different types of insecure data storage that exists so in general

142
00:09:17,850 --> 00:09:22,530
if you're looking at any sensitive data that is stored inside of databases instead of shared preferences

143
00:09:22,530 --> 00:09:26,450
or just inside of temp folders anywhere a user can gain access to them.

144
00:09:26,460 --> 00:09:31,050
So those folders should be treated with the same level of security that someone is able to access them

145
00:09:31,080 --> 00:09:32,460
if they so choose to.

146
00:09:32,460 --> 00:09:38,310
So you have to keep that in mind and work with things like encrypted files or encrypted databases in

147
00:09:38,310 --> 00:09:43,050
order to ensure that people can't actually access this data because leaving it out in the open means

148
00:09:43,050 --> 00:09:47,760
that if you have a routed user who's using your application they can gain access to that data which

149
00:09:47,760 --> 00:09:51,320
could potentially be catastrophic depending on what kind of data is accessible there.

150
00:09:51,330 --> 00:09:51,890
Right.

151
00:09:51,900 --> 00:09:56,190
If it's just their username and password it's not really that big of a deal but if it's other people's

152
00:09:56,190 --> 00:10:03,070
usernames or passwords or generic information about like the application application usernames and passwords

153
00:10:03,090 --> 00:10:07,590
and usernames and passwords any of that sort of stuff then we don't want that to be stored here because

154
00:10:07,590 --> 00:10:09,840
then you can gain access to it.

155
00:10:09,850 --> 00:10:12,270
This gives you an idea of what to look for for these sort of things.

156
00:10:12,600 --> 00:10:17,340
Again we decompose the application you can look at things like share preferences and file rates and

157
00:10:17,430 --> 00:10:22,740
database inserts to find these sorts of vulnerabilities or in general you can just sort of use the up

158
00:10:22,740 --> 00:10:26,870
a little bit and then go to its data directory and see what kind of stuff is available inside of there.

159
00:10:26,870 --> 00:10:31,800
So these are some common vulnerabilities that will typically exist inside of Android applications that

160
00:10:31,800 --> 00:10:34,410
you are now able to find and report if you find them.