In this post, you will see some of the common insecure methods of storing sensitive data by the Android app. The DIVA app will be used as a demonstration of these issues:
Part 1: Storing in Shared Preferences
First, you try to save a user credentials in the app. After the credentials are saved, now you can look for the location where the data is saved. For Part 1, you will notice that the credentials are saved in the app’s Shared Preferences XML file (also can be verified in the source code).
Now, look for the app’s shared preferences XML file. It should be found under
cat command on this XML file and you can see the user name and password stored in plain text without any encryption. This is considered as a bad practice and can be avoided by storing the user credentials in the Keystore.
Part 2: Storing unencrypted data in SQLite
Sometimes, developer try to save the credentials or list of sensitive data in the database. This is useful as the structured data will allow faster search result. However, the developer needs to take note that the database in Android is not encrypted. This means that anyone (with root permission) can copy the database and read what is inside.
In the code snippet below, you can see that the data is stored in a database ‘ids2’.
Now, you can copy this database to your local directory (check out this site for more adb commands):
adb pull /data/data/jakhar.aseem.diva/databases/ids2 ids2.db
Open it using DB Browser for SQLite. In the myuser table, you can see the username and password. For good practices, the credentials should be at least encrypted before saving to the database. And the encryption key should be stored in the Keystore.
Part 3: Storing in unencrypted File
A developer might want to temporarily store some sensitive data in a file. If the data is stored in a plaintext file, the data might be leaked easily. It is more secure to encrypt the file if the data needs to be stored in the file.
Part 4: Storing in External Storage
Data stored in external directory can be accessed easily by any party. In addition, if the file and data is not encrypted sufficiently, then any malicious attacker can access the data. In the example, the data is stored as a hidden file ‘uninfo.txt’
You can simply just run a
cat command to see this file and the credentials.