We love it when our teams and colleagues are sharing with us their personal projects and findings – this time, Android Apps Penetration Testing by our own Noy Pearl.
If you are an android developer, pen-tester, researcher or just like most of us a security enthusiasts – this one is for you.
Nowadays, we see many tutorials on Android Penetration testing, mentioning using a rooted device as a substantial requirement.
Using a rooted Android device indeed enables you to do many more actions than using an unrooted one.
However, there are a few overlooked methods while pentesting Android apps that don’t require root access. This time we’re going to dive into a very interesting one, which apparently isn’t very well-known – Android Backup.
Android Backup Method
I chose to focus on this Android Backup method since there’s a difficulty while trying to access the app’s protected data directory with an unrooted device – AKA data/data/APP_PACKAGE_NAME.
Many developers might store there their sensitive data with the claim that you must have root access to read/write these files.
In this article, we’re going to prove why in some cases the above claim is wrong.
My suggestion is to google every term you aren’t sure about, understand it, and return to this article. I provided links on specific terms that might be useful for that.
To demonstrate it in the best way — I built an exploitable app in Java.
Here’s the full code of the app — feel free to play with it. Also, I provided there the apk is built so you could test the backup functionality without building the app.
This app represents a bank application that has a few issues which we’ll talk about later. The package name of the app is com.app.dontbackup. Remember it; we’ll use that later. Install the app and run it.
As you can see, this screen shows the full name and balance of an account named Ciri. I’m saving sensitive information about this user by using an Android component called SharedPreferences. Using this component – the data is saved to /data/data/com.app.dontbackup/shared_prefs/com.app.dontbackup.xml file in the device.
Although the phone number and address aren’t represented on the screen – I still save them using the SharedPreferences component. The following code in the app saves the sensitive details in the shared preferences folder
Many times I see sensitive information that is saved that way, including users’ full name, phone numbers address, username, and password.