Files
Anthropic-Cybersecurity-Skills/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md
T

199 lines
7.2 KiB
Markdown

---
name: exploiting-insecure-data-storage-in-mobile
description: >
Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile
applications including unencrypted databases, world-readable files, insecure SharedPreferences,
plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile
penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with
MASVS-STORAGE requirements. Activates for requests involving mobile data storage security,
local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment.
domain: cybersecurity
subdomain: mobile-security
author: mahipal
tags: [mobile-security, android, ios, data-storage, owasp-mobile, penetration-testing]
version: 1.0.0
license: MIT
---
# Exploiting Insecure Data Storage in Mobile
## When to Use
Use this skill when:
- Assessing whether mobile applications store sensitive data securely on the device filesystem
- Testing for credential leakage through SharedPreferences, SQLite databases, or plists
- Evaluating keychain/keystore implementation for proper access control attributes
- Performing data-at-rest security assessment during mobile penetration tests
**Do not use** this skill on production user devices without authorization -- data extraction techniques require physical access or root/jailbreak privileges.
## Prerequisites
- Rooted Android device or emulator with ADB access
- Jailbroken iOS device with SSH access or Objection-patched IPA
- ADB (Android Debug Bridge) for Android filesystem access
- SQLite3 CLI for database inspection
- Frida/Objection for runtime data extraction
- Target application installed and exercised (logged in, data cached)
## Workflow
### Step 1: Map Application Data Storage Locations
**Android storage paths:**
```bash
# Internal storage (app-private, requires root)
/data/data/<package_name>/
├── shared_prefs/ # SharedPreferences XML files
├── databases/ # SQLite databases
├── files/ # General files
├── cache/ # Cached data
├── lib/ # Native libraries
└── app_webview/ # WebView data
# External storage (world-readable on older Android)
/sdcard/Android/data/<package_name>/
# Check for world-readable files
adb shell run-as <package_name> ls -la /data/data/<package_name>/
```
**iOS storage paths:**
```bash
# App sandbox (accessible via SSH on jailbroken device)
/var/mobile/Containers/Data/Application/<UUID>/
├── Documents/ # User data, backed up by default
├── Library/
│ ├── Preferences/ # NSUserDefaults plists
│ ├── Caches/ # Cache data
│ └── Application Support/
└── tmp/ # Temporary files
```
### Step 2: Extract and Analyze SharedPreferences (Android)
```bash
# Pull SharedPreferences files
adb shell run-as <package_name> cat shared_prefs/*.xml
# Or on rooted device
adb pull /data/data/<package_name>/shared_prefs/ ./shared_prefs/
# Search for sensitive data
grep -ri "password\|token\|secret\|key\|session\|auth\|cookie" shared_prefs/
```
Common insecure storage patterns:
```xml
<!-- Plaintext credentials -->
<string name="user_password">mysecretpass123</string>
<string name="auth_token">eyJhbGciOiJIUzI1NiIs...</string>
<string name="api_key">sk-live-abc123def456</string>
<!-- Sensitive PII -->
<string name="user_ssn">123-45-6789</string>
<string name="credit_card">4111111111111111</string>
```
### Step 3: Analyze SQLite Databases
```bash
# Pull databases
adb pull /data/data/<package_name>/databases/ ./databases/
# Open and inspect
sqlite3 databases/app.db
.tables
.schema users
SELECT * FROM users;
SELECT * FROM sessions;
SELECT * FROM tokens;
# Search all tables for sensitive columns
sqlite3 databases/app.db ".dump" | grep -i "password\|token\|secret\|credit"
```
Check for unencrypted SQLCipher databases:
```bash
# If database opens without password, it's unencrypted
sqlite3 databases/app.db "SELECT count(*) FROM sqlite_master;"
# Success = unencrypted (vulnerability)
```
### Step 4: Inspect iOS Keychain Storage
```bash
# Using Objection
objection --gadget com.target.app explore
ios keychain dump
# Check protection class attributes
# kSecAttrAccessibleWhenUnlocked - OK for most data
# kSecAttrAccessibleAlways - VULNERABLE: accessible even when locked
# kSecAttrAccessibleAfterFirstUnlock - acceptable for background apps
```
### Step 5: Assess External Storage and Backup Exposure
**Android:**
```bash
# Check if backup is enabled
aapt dump badging target.apk | grep -i "allowBackup"
# android:allowBackup="true" = vulnerability
# Extract backup data
adb backup -f backup.ab -apk <package_name>
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
# Inspect extracted data for sensitive information
# Check external storage
adb shell ls -la /sdcard/Android/data/<package_name>/
```
**iOS:**
```bash
# Check backup exclusion
# Files in Documents/ are backed up by default
# Check NSURLIsExcludedFromBackupKey attribute
objection --gadget com.target.app explore
ios plist cat Info.plist
```
### Step 6: Runtime Memory Analysis
```bash
# Dump process memory for sensitive data
objection --gadget com.target.app explore
memory search "password" --string
memory search "BEGIN RSA PRIVATE KEY" --string
memory dump all /tmp/memdump/
# Android: Check for sensitive data in logs
adb logcat -d | grep -i "password\|token\|key\|secret"
```
## Key Concepts
| Term | Definition |
|------|-----------|
| **SharedPreferences** | Android key-value storage in XML format; often misused for storing credentials in plaintext |
| **Keychain Services** | iOS secure credential storage backed by Secure Enclave hardware on modern devices |
| **Android Keystore** | Hardware-backed cryptographic key storage on Android; keys cannot be extracted from the device |
| **SQLCipher** | Transparent encryption extension for SQLite databases; prevents data extraction without password |
| **Data Protection API** | iOS file-level encryption tied to device passcode; controlled via protection class attributes |
## Tools & Systems
- **ADB (Android Debug Bridge)**: Command-line tool for Android device interaction and filesystem access
- **Objection**: Frida-powered runtime exploration for keychain dumping and memory inspection
- **SQLite3**: Command-line interface for inspecting unencrypted SQLite databases
- **Android Backup Extractor (ABE)**: Tool for unpacking ADB backup files to inspect stored data
- **iExplorer**: GUI tool for browsing iOS app sandbox filesystem
## Common Pitfalls
- **Encrypted but key in code**: Some apps encrypt databases but store the encryption key in SharedPreferences or hardcoded in the binary. Always check for key storage alongside encryption.
- **MODE_WORLD_READABLE deprecation**: This flag was deprecated in API 17, but legacy apps may still use it, making SharedPreferences readable by other apps.
- **iOS backup scope**: By default, all files in the Documents directory are included in iTunes/iCloud backups. Verify that sensitive files have the backup exclusion attribute set.
- **Clipboard exposure**: Data copied to clipboard is accessible to all apps. Check if the app copies sensitive data (passwords, tokens) to the clipboard.