Insecure Local Storage

July 9, 2014 by

In the previous article, we discussed shared preferences and its security under local data storage. In this article, we will discuss other storage methods being used by Android developers.


FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

SQLite Databases

SQLite databases are lightweight file-based databases. They usually have the extension ".db" or ".sqlite". Android provides full support for SQLite databases. Databases we create in the application will be accessible to any class in the application. Other apps cannot access them.

Install the application given in the download section and launch it. Then enter some sample data into the application as we have done in the previous article (Shared Preferences).

The following code snippets show that the sample application is storing data in SQLite databases.

Initially, upon receiving the username and password from the user, the app opens a database and inserts the details into a table and then closes the database. This is shown in Figure 1. The backend logic is shown in Figure 2.

Figure 1

The following figure shows the code snippet used to insert data into the application. We have extended the "SQLiteOpenHelper" class to implement this. As we can see in Figure 2, we are inserting the values taken from the user into a table defined somewhere with the variable name "TABLE_NAME".

Figure 2

Now that we understand how this application is inserting values into the database, let's go ahead and see how it is being stored in the application and dump the data from the database.

The common location where databases are stored in Android apps is:

/data/data/<package name>/databases/<databasename.db>

So, let's navigate and inspect the above path to see if there are any databases created in this application.

The procedure is same as SharedPreferences. So, I would want to show another way of pulling data onto the device rather than using ADB.

In this case, we are going to use a feature called "DDMS" in Eclipse to extract data from the device. In Eclipse, we can enable DDMS, which allows us to perform a lot of interesting tasks.

After enabling and launching the DDMS window, it looks as shown in Figure 3.

Figure 3

Rather than writing ADB commands, we can simply pull the files from the device with just a mouse click, as shown in Figure 3.

In our case, we have navigated to "/data/data/" and then "com.androidpentesting.sqlitestorage". If we expand this directory, it displays all the files and folders inside it. Since we are interested in SQLite files, we have navigated to the "databases" directory where we have the database "PWNSQLITEDATA.db". We can pull it onto the machine, as shown in the above figure, and then do the steps give below.

  1. Install SQLite3 client in the machine.
  2. Connect to the database file using the command given below.

    sqlite3 PWNSQLITEDATA.db

  3. List all the available tables using the ".tables" command.
  4. Query and display the data using the command shown below.

    select * from table_name;

These steps are shown in Figure 4 below.

Figure 4

Internal Storage

Internal storage is another way of storing data in Android apps. Launch the application and enter the sample credit card number into the text box and click save.

Below is the code snippet which shows how the application is functioning.

Figure 5

As we can see in the above figure, the application is taking user input (credit card number) and writing it into a file "secret.txt".

Lets open up DDMS in Eclipse and pull the file onto the machine as we have done in the previous case (SQLIte databases).

Figure 6

Now, we can read the file with the cat utility as shown in Figure 7.

Figure 7

External Storage

SDCARD is another important location in Android where we can store data associated with our applications. Whatsapp is a classic example of SDCARD storage as it stores all its data on SDCARD.

Developers storing data on SDCARD should be careful since it's publicly accessible to anyone. We can simply remove the SDCARD from the device and mount it to another device to access the information stored on it.

You can download the sample application from the download section and enter some sample credit card number after installing the app.

Below is the code snippet used to store this credit card number onto the SDCARD.

Figure 8

The above code requires "WRITE_EXTERNAL_STORAGE" permission. So, we need to add the below line in the AndroidManifest.xml file.

Figure 9

User Dictionary Cache

In Android, we have a nice feature called User Dictionary. We can add words of interest to the user dictionary, and the application will suggest to use these words the next time we are typing a similar word. If our application allows the users to cache sensitive information, it will be stored in a database named "user_dict.db" which can be accessed by any application using the user dictionary app's content provider.

Another way to read this is to pull the database file from the device and open it with a SQLite client. This is shown in the figure below.

Figure 10

Figure 10 shows how we can pull the database file from the device.

Figure 11

The above figure shows how one can read the contents from the "user_dict.db" file.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In this article we have seen how data storage techniques like SQLite storage, Internal Storage, and External Storage are implemented in Android. We have also seen how easy it is to retrieve this data from the device if anyone has physical access to it. So, it is highly recommended that developers should crypto libraries in order to store sensitive information on the device.


Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com