This is part one of a three-part series looking at some security fundamentals for mobile developers.
We’ll be looking specifically at native iOS and Android, demonstrating some examples of common security issues and how to fix them.
In this part, we’re going to examine what information is generally stored by apps in clear-text on the mobile device. Like any computer, a mobile device needs to store information for applications to use. This can be stored in a number of ways such as text files or databases.
To be able to access this information we need to use a jailbroken or rooted device as the device operating system will protect these directories when functioning correctly. Once you have superuser access to the device you can read and edit these files and database. There are plenty of tutorials and tools available online so I won't cover getting superuser access in this article.
Just a word of warning iFunbox tried to change some of my browser preferences on install and my AV flagged a warning. These are alternative phone browsers if you don't want to take the risk with this one. I use virtual machines were doing any type of security work where there’s a risk that third-party tools might have malware.
Below the folder structure of an iOS app container:
The first area to check out is Library/Preferences. This is where the app NSUSerDefaults are stored. App developers use this clear-text list file to store values which can be easily retrieved by the app when needed. It’s not supposed to be used for anything sensitive as they can be easily read.
Just browsing through the apps on my device. I can see some interesting information stored in NSUserDefaults. A top 50 rated shopping app has my password in clear-text instead of on the keychain as recommended.
Another app I regularly use displays it’s in-app purchase prices, which makes you curious whether editing these values could get you a discount? Presumably, the values are checked on the back-end during purchase. But I would definitely check that out if this was my app.
Developers should easily be able to log out nay NSUserDefault entries in use. These can be examined to ensure they fit with your security guidelines.
Database files are commonly stored in the app container in Library/Documents but I have found them in other places within the container. They often have the “.sqlite” extension but can also be “.db”. These are usually native core data or a third party DB like realm.
Once you have jailbroken access to the device databases are often in clear-text. Meaning you can just open them up with a tool such as “DB Browser for SQLite”.
An example I found in my local apps appears to be an inbox for the Urban Airship push messaging plugin used in this application. This is a screenshot DB Browser For SQLite.
Another potential issue is temporarily storing files locally which might have intellectual property associated with it. For example, if your company offers video training guides which can be downloaded locally. These files often end up in the app container without any DRM (Digital Rights Management) and can be downloaded and shared.
I found an example of this while writing this article and emailed the company to give them a heads up.
Just like iOS, the files on Android can be viewed when admin access to the device has been obtained.
The app container files are stored in “/data/data” but can also be stored on the external storage in some circumstances.
For this article, I'm using Nox, an Android emulator which will run on Mac or PC. This gives me easy superuser access to the Android operating system.
Just like iOS, Android has list files which allow the developer to read and write values. These are generally stored in shared_prefs.
There are usually a few files in here as plugins and libraries will also store information here.
Just like iOS, these files should not be used to store sensitive information.
Android apps often take advantage of SQLite databases to store information. These can usually be found in the databases directory within the app container.
Here are the contents of a well know fast food restaurants local database with some menu items:
There is also price information in these tables which again makes me wonder what happens if these are edited?
Just with iOS, Android media files such as video or audio downloaded will also be available in the container. These need to be protected with DRM or encryption to stop them being downloaded and shared.
Developers should be aware that the information in the app container can be manipulated and not to store security or purchase related information in there.
Password / Session Keys
Ideally, passwords should never be stored, only session ID’s but if they are to be stored both operating systems offer a secure keychain/keystore to help store these items.
Any sensitive information such as PII or pricing information should not be stored locally unless it's encrypted. There are widely used methods to encrypt local databases and data.
If media files are going to be stored locally and they contain intellectual property then a DRM solution should be employed or encrypted.
Written by Rob Pope of Escaped -> 🤖 Security testing in Los Angeles