INSECURE DATA STORAGE 4 - EXTERNAL STORAGE
- Layout for this exercise:
- Connecting from Santoku to Nexus 5 with ADB:
- Launching the application:
- Clicking the tab of the challenge 6:
- The application ask for credentials, username and password, and then saves them:
- Examining the Java source code of this challenge, InsecureDataStorage4Activity.java, helps to understand how the application saves the credentials:
- The method saveCredentials indicates that an external storage directory is used to save the credentials, inside a file called .uinfo.txt. The dot at the beginning of the file means that it is a hidden file, giving it a layer of security:
- Looking inside the SD card directory with command ls, nothing interesting is found:
- However, when command ls is run with -la options, it is possible to detect hidden files like .uinfo.txt, starting with a dot:
- Openning the content of the file, the credentials are available:
