DIVA Series #0x04 Insecure Data Storage — Part 2 (en)
Hello and welcome to the DIVA sec-series again. From the last article, we know that we should not store any sensitive data on a local file. For this time, we will take a look at another popular way, and it is…….
saving information into a local database. SQLite is a popular database for android developers. It is easy to implement.
Actually, storing data on SQLite is not too bad, but do not forget it is still on a client-side that can be accessed by everyone. So that, I will say again should not store any sensitive data on it. If it is necessary, don’t forget to encrypt the data before saving it.
As usual, open the application and go to the “Insecure Data Storage Part 2” section. Then try to play around with the application, submit a username and password.
Since our credentials have been saved, we can directly access the mobile shell and search for our credentials. but for this time we will take a look at the source code.
From the source code below, you will see that our username and password will be stored on a local database named “ids2”
adb shell to /data/data/PACKAGENAME/databases
We found that the ids2 file is there, just open it by using the sqlite3 command
As you can see, our username and password are stored on the database without any protection mechanism
Same as a previous post, try not to store any sensitive data on local storage even on file or database system. If it is necessary to store, don’t forget to encrypt the data before saving it. 😝
DIVA Application Download: https://github.com/payatu/diva-android