The data at rest is a very critical part of the assessment. Our usual concern remains that our application data is securely stored on our Android devices so that no one can extract data from it in the case of theft or loss. Also, an application (malicious) cannot access the data of another application (such as banking).
Our target app is FourGoats. All the app data resides in /data/data/org.owasp.goatdroid.FourGoats
in an Android device. In this app folder, we can see that there is a shared_prefs
folder, a database folder, and several other folders installed by the app. In the following screenshot, you can see that all the files in the shared_prefs
folder of the FourGoats app are world-readable:
This means that any app that is installed on the device will have access to read these files even on non-rooted devices. Sometimes, developers also store credentials including usernames, passwords, and PIN numbers in such files, which will lead to a complete compromise of user...