Insecure Storage (Shared Preference)

What is Insecure Storage in android?

Insecure data storage vulnerabilities occur when application store sensitive information such as usernames, passwords, and credit card numbers in plain text.

What is shared preference in android?

A SharedPreferences object points to a file containing key-value pairs and provides simple methods to read and write them. Each SharedPreferences file is managed by the framework and can be private or shared.

Where are Android shared preferences stored?

Android stores Shared Preferences settings as an XML file in the shared_prefs folder under DATA/data/{application package} directory. The DATA folder can be obtained by calling Environment. getDataDirectory()

Let's have a look at how to get into a shared preference to check for sensitive information in android.

Step 1:- To do so we require ADB or platform tools.

Step 2:- Open the ADB folder and open cmd. To check device connectivity run “adb devices”. Thereafter, Run “adb shell”. (Which takes us to the android device terminal.)

as a root, to do so run “su”

Figure 1: Sensitive information Page

Figure 2: Information Registered

Figure 3:- Android terminal accessing the shared-pref file

Step 4:- Navigate to cd /data/data/”APK_PACKAGE_NAME”/shared_prefs. Then you will observe that is user.xml stored.

Step 5:- Open the same file as “cat user.xml”.

Figure 4:- Insecure storage shared preference

Observed that the application is storing sensitive information in clear text.

Thank you for your time. Please like and clap the blog :)