Professional Documents
Culture Documents
Common Vuls in Mobile Apps
Common Vuls in Mobile Apps
Common Vuls in Mobile Apps
Introduction
During the time doing mobile pentest, I've realized that developers are often implementing an
insecure code which makes an application exposed to security risks. By abusing those ones, it
opens up an opportunity for a bad guy to steal users' credentials or users' personal data by just
getting into the phone, rooting them (or NOT) , and start being a cockeyed at your data.
Of course, in some cases, there is no need to be a rooted phone!
They are so many times I've seen these type of vuls in any apps during my mobile pen testing
(especially in Android) as such, saving password without encryption, expose users credentials,
data to logcat, or just storing users credentials (keystore,..) in /shared_prefs/ directory and so on.
Therefore, in this article I'll be listing and explaining the common vuls/mistakes that developers
are often suffer:
1.Storing users' credentials in plain text
The most common security concern for an application on Android is whether the data that you
save on the device is accessible to other apps. There are three fundamental ways to save data on
the device:
• Internal storage.
• External storage.
• Content providers.
The following paragraphs describe the security issues associated with each approach.
Use internal storage
By default, files that you create on internal storage are accessible only to your app. Android
implements this protection, and it's sufficient for most applications.
Generally, avoid the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes for IPC files
because they do not provide the ability to limit data access to particular applications, nor do
they provide any control of data format. If you want to share your data with other app
processes, instead consider using a content provider, which offers read and write permissions to
other apps and can make dynamic permission grants on a case-by-case basis.
To provide additional protection for sensitive data, you can encrypt local files using a key that is
not directly accessible to the application. For example, you can place a key in a KeyStore and
protect it with a user password that is not stored on the device. While this does not protect data
from a root compromise that can monitor the user inputting the password, it can provide
protection for a lost device without file system encryption.
Many apps that do not encrypt the users data before writing into the file whereas it's placed in
the internal storage. For an instance: