Android Security — OWASP Top 10¶
Android Security¶
OWASP Top 10¶
1. Insecure Logging¶
- All procedures, like calling activity, intents, etc., by application, are logged into the phone's log
- Apps send info to log output using android.util.Logclass
- To obtain log output, apps can execute logcat command in Genymotion
Till Android 4, any app with READ_LOGS permission could obtain logs of all other apps.
After 4.1, the specification of the READ_LOGS permission has been changed; even with the permission mentioned, apps cannot obtain log output from other apps.
By connection android to PC, the log output from other apps can be obtained. Thus, it's important that mobiles do not log sensitive info to logs.
Pentesting approach for mobile (static): get apk → decompile apk to get source code → examine vuln
➕Note: To get logs of a particular apk:
- Get Pid of the specific apk from
ps -A logcat | grep <pid>
2. Hardcoded creds¶
- Mistake of hardcoding confidential/sensitive info in source code, explicitly defining as a constant value for the sake of simplicity
3. Insecure Data Storage¶
- Accdidentally storing sensitive info without encryption
Where all does Android store such data?
Four main storage locations identified:
- Databases (within
/data/data/[package-name]/databases/) - Sensitive data stored in SQLite databases
- Example: IDS2 database with MyUser table storing usernames and passwords
- Can be accessed using SQLite commands or SQLite browser
- Use
sqlite3 [database-name]to enter DB and.tablesto list tables - Use
SELECT * FROM [table-name]to view contents - Shared Preferences (XML files in
/data/data/[package-name]/shared_prefs/) - Data stored as key-value pairs
- Common for storing usernames, passwords, tokens
- Can identify usage by looking for "SharedPreference" or "PreferenceManager" in source code
- Internal Storage (temporary files within app package)
- Apps create temporary files to store sensitive information
- Files remain in
/data/data/[package-name]/directory - Example: uinfo file containing credentials
- External Storage (SD card in
/mnt/sdcard/) - Requires explicit permission to write to SD card (post-Android security update)
- Can identify by "getExternalStorageDirectory" in source code
- Files may be hidden - use
ls -alto view
In Android apps,
- data can be communicated via intents or written to files, distributed