Skip to content

Android Security — OWASP Top 10

Android Security

OWASP Top 10

1. Insecure Logging

  • All procedures, like calling activity, intents, etc., by application, are logged into the phone's log
  • Apps send info to log output using android.util.Logclass
  • To obtain log output, apps can execute logcat command in Genymotion

Till Android 4, any app with READ_LOGS permission could obtain logs of all other apps.
After 4.1, the specification of the READ_LOGS permission has been changed; even with the permission mentioned, apps cannot obtain log output from other apps.

By connection android to PC, the log output from other apps can be obtained. Thus, it's important that mobiles do not log sensitive info to logs.

Pentesting approach for mobile (static): get apk → decompile apk to get source code → examine vuln

➕Note: To get logs of a particular apk:

  1. Get Pid of the specific apk from ps -A
  2. logcat | grep <pid>

2. Hardcoded creds

  • Mistake of hardcoding confidential/sensitive info in source code, explicitly defining as a constant value for the sake of simplicity

3. Insecure Data Storage

  • Accdidentally storing sensitive info without encryption

Where all does Android store such data?

Four main storage locations identified:

  1. Databases (within /data/data/[package-name]/databases/)
  2. Sensitive data stored in SQLite databases
  3. Example: IDS2 database with MyUser table storing usernames and passwords
  4. Can be accessed using SQLite commands or SQLite browser
  5. Use sqlite3 [database-name] to enter DB and .tables to list tables
  6. Use SELECT * FROM [table-name] to view contents
  7. Shared Preferences (XML files in /data/data/[package-name]/shared_prefs/)
  8. Data stored as key-value pairs
  9. Common for storing usernames, passwords, tokens
  10. Can identify usage by looking for "SharedPreference" or "PreferenceManager" in source code
  11. Internal Storage (temporary files within app package)
  12. Apps create temporary files to store sensitive information
  13. Files remain in /data/data/[package-name]/ directory
  14. Example: uinfo file containing credentials
  15. External Storage (SD card in /mnt/sdcard/)
  16. Requires explicit permission to write to SD card (post-Android security update)
  17. Can identify by "getExternalStorageDirectory" in source code
  18. Files may be hidden - use ls -al to view

In Android apps,

  • data can be communicated via intents or written to files, distributed