mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
199 lines
7.2 KiB
Markdown
199 lines
7.2 KiB
Markdown
---
|
|
name: exploiting-insecure-data-storage-in-mobile
|
|
description: >
|
|
Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile
|
|
applications including unencrypted databases, world-readable files, insecure SharedPreferences,
|
|
plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile
|
|
penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with
|
|
MASVS-STORAGE requirements. Activates for requests involving mobile data storage security,
|
|
local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment.
|
|
domain: cybersecurity
|
|
subdomain: mobile-security
|
|
author: mahipal
|
|
tags: [mobile-security, android, ios, data-storage, owasp-mobile, penetration-testing]
|
|
version: 1.0.0
|
|
license: MIT
|
|
---
|
|
# Exploiting Insecure Data Storage in Mobile
|
|
|
|
## When to Use
|
|
|
|
Use this skill when:
|
|
- Assessing whether mobile applications store sensitive data securely on the device filesystem
|
|
- Testing for credential leakage through SharedPreferences, SQLite databases, or plists
|
|
- Evaluating keychain/keystore implementation for proper access control attributes
|
|
- Performing data-at-rest security assessment during mobile penetration tests
|
|
|
|
**Do not use** this skill on production user devices without authorization -- data extraction techniques require physical access or root/jailbreak privileges.
|
|
|
|
## Prerequisites
|
|
|
|
- Rooted Android device or emulator with ADB access
|
|
- Jailbroken iOS device with SSH access or Objection-patched IPA
|
|
- ADB (Android Debug Bridge) for Android filesystem access
|
|
- SQLite3 CLI for database inspection
|
|
- Frida/Objection for runtime data extraction
|
|
- Target application installed and exercised (logged in, data cached)
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Map Application Data Storage Locations
|
|
|
|
**Android storage paths:**
|
|
```bash
|
|
# Internal storage (app-private, requires root)
|
|
/data/data/<package_name>/
|
|
├── shared_prefs/ # SharedPreferences XML files
|
|
├── databases/ # SQLite databases
|
|
├── files/ # General files
|
|
├── cache/ # Cached data
|
|
├── lib/ # Native libraries
|
|
└── app_webview/ # WebView data
|
|
|
|
# External storage (world-readable on older Android)
|
|
/sdcard/Android/data/<package_name>/
|
|
|
|
# Check for world-readable files
|
|
adb shell run-as <package_name> ls -la /data/data/<package_name>/
|
|
```
|
|
|
|
**iOS storage paths:**
|
|
```bash
|
|
# App sandbox (accessible via SSH on jailbroken device)
|
|
/var/mobile/Containers/Data/Application/<UUID>/
|
|
├── Documents/ # User data, backed up by default
|
|
├── Library/
|
|
│ ├── Preferences/ # NSUserDefaults plists
|
|
│ ├── Caches/ # Cache data
|
|
│ └── Application Support/
|
|
└── tmp/ # Temporary files
|
|
```
|
|
|
|
### Step 2: Extract and Analyze SharedPreferences (Android)
|
|
|
|
```bash
|
|
# Pull SharedPreferences files
|
|
adb shell run-as <package_name> cat shared_prefs/*.xml
|
|
|
|
# Or on rooted device
|
|
adb pull /data/data/<package_name>/shared_prefs/ ./shared_prefs/
|
|
|
|
# Search for sensitive data
|
|
grep -ri "password\|token\|secret\|key\|session\|auth\|cookie" shared_prefs/
|
|
```
|
|
|
|
Common insecure storage patterns:
|
|
```xml
|
|
<!-- Plaintext credentials -->
|
|
<string name="user_password">mysecretpass123</string>
|
|
<string name="auth_token">eyJhbGciOiJIUzI1NiIs...</string>
|
|
<string name="api_key">sk-live-abc123def456</string>
|
|
|
|
<!-- Sensitive PII -->
|
|
<string name="user_ssn">123-45-6789</string>
|
|
<string name="credit_card">4111111111111111</string>
|
|
```
|
|
|
|
### Step 3: Analyze SQLite Databases
|
|
|
|
```bash
|
|
# Pull databases
|
|
adb pull /data/data/<package_name>/databases/ ./databases/
|
|
|
|
# Open and inspect
|
|
sqlite3 databases/app.db
|
|
.tables
|
|
.schema users
|
|
SELECT * FROM users;
|
|
SELECT * FROM sessions;
|
|
SELECT * FROM tokens;
|
|
|
|
# Search all tables for sensitive columns
|
|
sqlite3 databases/app.db ".dump" | grep -i "password\|token\|secret\|credit"
|
|
```
|
|
|
|
Check for unencrypted SQLCipher databases:
|
|
```bash
|
|
# If database opens without password, it's unencrypted
|
|
sqlite3 databases/app.db "SELECT count(*) FROM sqlite_master;"
|
|
# Success = unencrypted (vulnerability)
|
|
```
|
|
|
|
### Step 4: Inspect iOS Keychain Storage
|
|
|
|
```bash
|
|
# Using Objection
|
|
objection --gadget com.target.app explore
|
|
ios keychain dump
|
|
|
|
# Check protection class attributes
|
|
# kSecAttrAccessibleWhenUnlocked - OK for most data
|
|
# kSecAttrAccessibleAlways - VULNERABLE: accessible even when locked
|
|
# kSecAttrAccessibleAfterFirstUnlock - acceptable for background apps
|
|
```
|
|
|
|
### Step 5: Assess External Storage and Backup Exposure
|
|
|
|
**Android:**
|
|
```bash
|
|
# Check if backup is enabled
|
|
aapt dump badging target.apk | grep -i "allowBackup"
|
|
# android:allowBackup="true" = vulnerability
|
|
|
|
# Extract backup data
|
|
adb backup -f backup.ab -apk <package_name>
|
|
java -jar abe.jar unpack backup.ab backup.tar
|
|
tar xvf backup.tar
|
|
# Inspect extracted data for sensitive information
|
|
|
|
# Check external storage
|
|
adb shell ls -la /sdcard/Android/data/<package_name>/
|
|
```
|
|
|
|
**iOS:**
|
|
```bash
|
|
# Check backup exclusion
|
|
# Files in Documents/ are backed up by default
|
|
# Check NSURLIsExcludedFromBackupKey attribute
|
|
objection --gadget com.target.app explore
|
|
ios plist cat Info.plist
|
|
```
|
|
|
|
### Step 6: Runtime Memory Analysis
|
|
|
|
```bash
|
|
# Dump process memory for sensitive data
|
|
objection --gadget com.target.app explore
|
|
memory search "password" --string
|
|
memory search "BEGIN RSA PRIVATE KEY" --string
|
|
memory dump all /tmp/memdump/
|
|
|
|
# Android: Check for sensitive data in logs
|
|
adb logcat -d | grep -i "password\|token\|key\|secret"
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|-----------|
|
|
| **SharedPreferences** | Android key-value storage in XML format; often misused for storing credentials in plaintext |
|
|
| **Keychain Services** | iOS secure credential storage backed by Secure Enclave hardware on modern devices |
|
|
| **Android Keystore** | Hardware-backed cryptographic key storage on Android; keys cannot be extracted from the device |
|
|
| **SQLCipher** | Transparent encryption extension for SQLite databases; prevents data extraction without password |
|
|
| **Data Protection API** | iOS file-level encryption tied to device passcode; controlled via protection class attributes |
|
|
|
|
## Tools & Systems
|
|
|
|
- **ADB (Android Debug Bridge)**: Command-line tool for Android device interaction and filesystem access
|
|
- **Objection**: Frida-powered runtime exploration for keychain dumping and memory inspection
|
|
- **SQLite3**: Command-line interface for inspecting unencrypted SQLite databases
|
|
- **Android Backup Extractor (ABE)**: Tool for unpacking ADB backup files to inspect stored data
|
|
- **iExplorer**: GUI tool for browsing iOS app sandbox filesystem
|
|
|
|
## Common Pitfalls
|
|
|
|
- **Encrypted but key in code**: Some apps encrypt databases but store the encryption key in SharedPreferences or hardcoded in the binary. Always check for key storage alongside encryption.
|
|
- **MODE_WORLD_READABLE deprecation**: This flag was deprecated in API 17, but legacy apps may still use it, making SharedPreferences readable by other apps.
|
|
- **iOS backup scope**: By default, all files in the Documents directory are included in iTunes/iCloud backups. Verify that sensitive files have the backup exclusion attribute set.
|
|
- **Clipboard exposure**: Data copied to clipboard is accessible to all apps. Check if the app copies sensitive data (passwords, tokens) to the clipboard.
|