Finding backup vulnerabilities in android apps

Hi everyone this post is just an elaboration of 10th point that I made it in my previous post which is being often missed by dev/hunters while looking for bugs in android apps although this issue is not new and more then a vulnerability it is a misconfiguration .

Why to look up in backup ?  

Just like any other os android system allows user’s to make backup of the their app that’s cool but from our end we are concerned about whether any sensitive information is being leaked in the backup or not and whether it has been loosely configured .

Tools Required ?

  1. Adb
  2. Abe
  3. Apktool
  4. Genymotion

How to proceed : 

  1. To check whether any app allows the backup you need to first reverse the apk and find the manifest file to do so execute apktool d <app-name.apk>
  2. Check in AndroidManifest.xml file for the attribute
    android:allowBackup=”true” if this is present and it’s value is set to true it means we can backup the app internal data which resides under
  3. To backup the app hit the adb backup -f <backup-name.ab>
  4. Accept the backup confirmation from the device.
  5. Now you will have the app-backup.ab file in your working directory
  6. To read this you need to convert this .ab file into .tar format using the tool
    Android Backup Extractor
    Command : java -jar abe.jar unpack app-backup.ab
  7. Then you can extract this tar file using tar xvf app-backup.tar t
  8. To make this process short i have written a custom tool pentdroid which automates all the above android operations .pentdroid
  9. Just select the operation 6 for reversing an app , 4 (For taking backup of an app ) then finally select option 5 to convert the backup.ab into backup.tar .
  10. Once you will get .tar file extract it using  winrar 
  11. Once it has been extracted you will get the folder residing in /data/data directory.
  12. Try to explore the various files including assets like .db, sharedprefs.xml and search for sensitive information sometimes you will find developers secrets , pass ,auth token for api’s etc
  13. Here i got once such case while reporting to one of the android program where i was able to obtain auth token stored in one of the .db file .
  14. auth_token_exposed
  15. I have used sqlite browser to see the info of .db files .
  16. By using the obtained token we can make calls to the api end point to fetch more information.

Why to bother about this if we can find something by just rooting the device ?

With this you don’t need a rooted device to obtain data from apps internal directory ! and well this respect the program scope too as compared to the other OWASP-M2 issues which requires you to have rooted device .

Any Patch or recommendation?

1.)Try to Implement sqlcipher which encrypts the sqlite db check out >

2.) Set android:allowBackup:false in android manifest file to disallow the access

3.)Even do not let apps to upload backups in clouds containing sensitive info in clear text.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s