Lect_6 - Deekshith19/Android_Security GitHub Wiki

We install the APK to the emulator by typing the below command.

adb install diva-beta.apk

image

1. Insecure Logging

We type adb logcat in the terminal window.

adb logcat | grep-i "credit card"

We click on the Insecure Logging button. We type a number in the EditText field and click on the Check Out button. We observe that An error occurred toast message is shown, and that the logcat has logged the input that was entered.

image

We open JADX and open the diva-beta.apk file. We observe the decompiled source code and open the LogActivity in the JADX

image

2. Hardcoding Issues- Part 1

We observe the decompiled source code and open the HardcodeActivity in the JADX.

image

We type the hardcoded vendor key in the EditText field.

image

3. Insecure Data Storage- Part 1

We explore the application by entering username and password in the EditText field

image

We use adb shell to explore the file system used by the application

image

Inside the /data/data/jakhar.aseem.diva directory, we notice the databases and shared_prefs directory.

We type cat shared_prefs/jakhar.aseem.diva_preferences.xml to see the username and password thatwere saved by the application

image

We observe the decompiled source code and open the InsecureDataStorage1Activity in the JADX.

image

4. Insecure Data Storage- Part 2

We explore the application by entering username and password in the EditText field.

Screenshot from 2024-06-09 21-59-24

We use adb shell to explore the file system used by the application.

Inside the /data/data/jakhar.aseem.diva directory, we notice the databases and shared_prefs directory.

We observe that there is a new file inside the databases directory

image

We open the ids2 database using the sqlite3 program, and enter select * from myuser; to view the saved username and password

image

We observe the decompiled source code and open the InsecureDataStorage2Activity in the JADX

image

5. Insecure Data Storage- Part 3

We explore the application by entering username and password in the EditText field.

Screenshot from 2024-06-09 19-17-03

We use adb shell to explore the file system used by the application.

Inside the /data/data/jakhar.aseem.diva directory, we observe that there is a new file with the name uinfo-1455578291tmp. We display the contents of the file using the cat uinfo-1455578291tmp command.

image

username and passward-

image

We observe the decompiled source code and open the InsecureDataStorage3Activity in the JADX

image

6. Insecure Data Storage- Part 4

We explore the application by entering username and password in the EditText field

image

We observe the decompiled source code and open the InsecureDataStorage4Activity in the JADX

image

As it is located in external storage, In the adb shell, we navigate to cd /sdcard and type the commands: ls -a and cat .uinfo.txt to view the contents of the file.

image