1
00:00:00,150 --> 00:00:05,720
- Hello all and welcome to the new video
on Android Security and Exploitation by

2
00:00:05,720 --> 00:00:11,450
PentesterAcademy. In this video, we're
going to have a look at the insecure data

3
00:00:11,450 --> 00:00:18,390
storage part III. So this entire
particular video is going to be dedicated

4
00:00:18,390 --> 00:00:22,570
for Damn Insecure and Vulnerable
Application, but you can also take the

5
00:00:22,570 --> 00:00:27,970
concepts and apply it to any real world
application as well. So this course is

6
00:00:27,970 --> 00:00:35,169
being run on petestercademy.com as well as
securitytube-training.com. So in the

7
00:00:35,169 --> 00:00:43,194
insecure data storage three, if you look
at the application, it is the same as the

8
00:00:43,194 --> 00:00:48,497
last two parts and it again asks for third
party service username and third party

9
00:00:48,497 --> 00:00:54,632
service password, right. So if you go
ahead and enter a username and password.

10
00:00:54,632 --> 00:01:04,689
Let's say aditya and password as aditya123
and simply go ahead and save it, right.

11
00:01:04,689 --> 00:01:10,641
Now, where this data gets
stored, we can figure out that by having a

12
00:01:10,641 --> 00:01:24,497
look at the source code, right. So let's
have a look at the source code. Then

13
00:01:24,497 --> 00:01:39,164
/diva-beta/jakhar/aseem/diva the insecure
data storage three activated, dot java. So

14
00:01:39,164 --> 00:01:45,645
if you look over here, it says that there
is a method called saveCredential which

15
00:01:45,645 --> 00:01:53,549
takes the input from the text boxes which
are most probably these two text boxes and

16
00:01:53,549 --> 00:02:04,766
creates a temporary file called uinfo and
takes everything from these two fields and

17
00:02:04,766 --> 00:02:14,161
saves it inside this particular file, and
once the file is saved, it simply says the

18
00:02:14,161 --> 00:02:21,008
third party credentials saved
successfully. Now, it saves the file in

19
00:02:21,008 --> 00:02:26,351
the data directory, right. And we know
that the data directory is the location

20
00:02:26,351 --> 00:02:35,189
/data/data[package-name]/. So let's go
ahead and look at the data directory. So

21
00:02:35,189 --> 00:02:44,068
we'll go to /data/data/jakhar.aseem.diva/.
I will just ls over here. So now if you

22
00:02:44,068 --> 00:02:51,852
look over here, there is a file called
uninfo- one to two number and a tmp if you

23
00:02:51,852 --> 00:02:58,232
simply cat this file, it tells you the
username and password which is the

24
00:02:58,232 --> 00:03:03,372
username and password which you saved
already, right. So this is one of the ways

25
00:03:03,372 --> 00:03:10,300
in which some of the applications
insecurely store data. So that's all for

26
00:03:10,300 --> 00:03:15,095
this short video and if you have any
feedback or queries, feel free to reach

27
00:03:15,095 --> 00:03:22,956
out to me at adi@attify.com or you can
tweet out to me @adi1391. Do check out the

28
00:03:22,956 --> 00:03:29,000
codes at securitytube-training.com and
pentesteracademy.com. Thank you.