Mobile Top 10 2016-M2 -Insecure Data Storage.
.This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
2. M2 - Insecure Data Storage
This new category is a combination of M2 + M4 from Mobile Top Ten 2014.
This covers insecure data storage and unintended data leakage.
This category insecure data storage and unintended data leakage. Data
stored insecurely includes, but is not limited to, the following:
SQL databases;
Log files;
XML data stores ou manifest files;
Binary data stores;
Cookie stores;
SD card;
Cloud synced.
3. A. Tools
1. OS Windows 7 Proffesional x64 bit.
2. Genymotion Android Emulator 3.0.3
3. Oracle VM VirtualBox 6.0.4 (Include during Genymotion installation)
4. Root Checker (root-checker-6-4-7.apk)
5. DIVA Damn Insecure and Vulnerable App. apk (diva-beta.apk). Download
in references [1].
4. B. Install
Genymotion Android Emulator
1. Download an application Genymotion Android Emulator in
https://www.genymotion.com/fun-zone/. In this practise use TRIAL version (only
30 days).
2. Then run and install.
5. C. Shell Android Debug Brigde (ADB) Configuration
1. Add the adb location path to the Variables Environment. Control Panel - System -
"Advanced system settings". Advanced tab - Environment Variables. Click PATH,
then click edit, and add the location path adb.exe (Genymotion).
2. %PY_HOME%;%PY_HOME%Lib;%PY_HOME%DLLs;%PY_HOME%Liblib-
tk;C:Program Files (x86)Nmap;C:Program FilesGenymobileGenymotiontools
6. D. How to run Genymotion emulator.
Install one of the emulator phones on Genymotion. Then run by selecting three
points, and click start.
9. G. DIVA (Damn Insecure and Vulnerable App) APK
For installation, click and hold the file then drag the apk file (diva-beta.apk) into the
emulator. Wait until the installation process is complete.
If the apk file is successfully installed, a DIVA shortcut will appear in the emulator. Click to
run it.
10. H. Command Shell & Configuration
1. Test whether adb is connected. Check IP on Android system status. PORT
5555 Default Genymotion.
Adb connect 192.168.5.4:5555
1. Run the adb shell > adb shell
12. Insecure Data Storage (M2)
• The data of an Android application is stored at the location /data/data/<package_name>.
• Shared Preference is a way to store data of an Android app in the form of value, key pair.
Source: https://tools.androidtamer.com/Training/DIVA/03_Insecure_Data_Storage_P1/
13. Insecure Data Storage (M2)
1. Create Database 2. Save data
Source: https://tools.androidtamer.com/Training/DIVA/04_Insecure_Data_Storage_P2/
14. Insecure Data Storage (M2)
Source: https://tools.androidtamer.com/Training/DIVA/05_Insecure_Data_Storage_P3/
15. Insecure Data Storage (M2)
Source: https://tools.androidtamer.com/Training/DIVA/06_Insecure_Data_Storage_P4/
Insecure Data Storage atau Penyimpanan Data Tidak Aman, dapat digambarkan sebagaimana 2 contoh teknik berikut:
Teknik 1 konvensional, dimana perangkat dicuri secara fisik, dan mengambil data / PII (Personally Identifiable Information) melalui koneksi device dengan PC. Teknik ini membutuhkan usaha yg keras untuk melakukannya. PII =informasi yang dapat diidentifikasi secara pribadi.
Meskipun device dicuri, device2 saat ini mulai ditanamkan smart software seperti pada perangkat Apple dan Android, Remote Lock My Device/Passcode Lock, atau Find My Device untuk menemukan posisi lokasi device yang dicuri, atau remote reset phone.
Teknik 2, modern: Melakukan jailbreak yang tertanam aplikasi jahat/malicious,. Aplikasi jahat dapat menyimpan dan mengirim data/informasi sensitif seperti username, password, akun keuangan dll maupun aktivitas korban kepada pelaku. Data dikirim ke server pelaku melalui jaringan yang terhubung ke internet.
Selanjutnya akan kita coba skenario, bagaimana data / informasi sensitif ini dapat diakses.>>