Android App (original) (raw)
Overview of Test Cases in Android App
OMTG_DATAST_001_BadEncryption
Description
The activity contains an encrypted string (vJqfip28ioydips=). The encryption function provided does only a XOR and flips the bits after the XOR.
To decrypt the String the following function can be used. This function is not part of the code, but can easily be created when understanding the encrypt function.
protected void onCreate(Bundle savedInstanceState) {
decrypt("vJqfip28ioydips=");
private void decrypt(String str) {
byte[] bytes = Base64.decode(str, Base64.DEFAULT);
for (int i = 0; i < bytes.length; i++) {
bytes[i] = (byte) (bytes[i] ^ 16);
int curr = ~bytes[i] & 0xff;
bytes[i] = (byte) curr;
}
String decryptedData = new String(bytes);
Log.e("Decrypted Password", decryptedData);
}Intention
To show that you need to use proper Encryption libraries and functions and do not try to create your own encryption algorithms which might be easily reverse engineered.
OMTG_DATAST_001_KeyChain
Description
This activity is importing a certificate, which is stored in the assets directory (server.p12). The password to import is 1234.
Intention
Show a best practice on how to import a certificate into the KeyChain.
OMTG_DATAST_001_KeyStore
Description
This activity is creating a key pair and using the generated key alias dummy for encrypting and decrypting a string.
Intention
Show a best practice on how to create a key pair by using KeyStore and how to encrypt/decrypt data.
OMTG_DATAST_001_InternalStorage
Description
This activity is showing how to store data to the internal storage. A file called test_file will be created in /data/data/sg.vp.owasp_mobile.myfirstbrokenapp/files that contains a credit card number.
Intention
Show that storing data on the device itself can lead to disclosure of data. Usage of internal storage should not be used for sensitive information.
OMTG_DATAST_001_ExternalStorage
Description
This activity is showing how to store data to the external storage. A file called password.txt will be created in the external storage dir (might be different on different Android versions). The folder is /storage/emulated/0 on the Xiami Note 2.
Intention
Show that storing data on the device itself can lead to disclosure of data. Usage of external storage should not be used for storing information for the app as external storage can be accessed by all Apps and can also be removed which might lead to errors in the app.
OMTG_DATAST_001_SharedPreferences
Description
This activity is showing how to create Shared Preferences. As a bad practice user credentials are stored as key-value pair in the file key.xml in /data/data/sg.vp.owasp_mobile.omtg_android/shared_prefs.
Intention
To show that no sensitive information should be stored in Shared Preferences as it is stored by default in clear text.
OMTG_DATAST_001_SQLite_Not_Encrypted
Description
This activity is showing how to create a SQLite database. As a bad practice user credentials are stored in the database.
Intention
To show that no sensitive information should be stored in a SQLite database as it is stored by default in clear text.
OMTG_DATAST_001_SQLite_Encrypted
Description
This activity is showing how to create an encrypted SQLite database by using SQLCipher. As a bad practice user credentials are stored in an encrypted database, but the key is stored locally in the App.
root@hermes:/data/app/sg.vp.owasp_mobile.myfirstbrokenapp-2/lib/arm # ls -la
-rwxr-xr-x system system 186220 1979-12-31 14:36 libdatabase_sqlcipher.so
-rwxr-xr-x system system 13768 1979-12-31 14:36 libnative.so
-rwxr-xr-x system system 2277928 1979-12-31 14:36 libsqlcipher_android.so
-rwxr-xr-x system system 365880 1979-12-31 14:36 libstlport_shared.so
root@hermes:/data/app/sg.vp.owasp_mobile.myfirstbrokenapp-2/lib/arm # strings libnative.so | grep -v _
/system/bin/linker
LIBC
libc.so
libnative.so
memcpy
abort
libstdc++.so
libm.so
libdl.so
S3cr3tString!!!
The key cannot easily be retrieved, as it is hidden inside a Shared Object (.so file). Only when looking into the .so file the password can be retrieved (S3cr3tString!!!).
Intention
It is a best practice to encrypt the SQLite database, but the problem is where to store the key. This shows that there is no way to hide a key locally against an attacker. If the key is stored locally it can be recovered, even though resilience countermeasures can be in place to slow down the attacker. To mitigate saving the key locally, the following two approaches can be considered:
- ask for a password when the app starts that is used to generate the key (likely to be prone to brute force attacks if the password is weak), or
- store the key on the server, then the app can only be used if the app is online.
OMTG_DATAST_002_Logging
Description
This activity is showing a login prompt. Once Login is clicked logs have been created.
Intention
Show that logging sensitive data is leading to information disclosure. Even if debugging is disabled in the AndroidManifest, the app can be repackaged and debugging can be enabled. Therefore all logging and debugging code should be deleted before creating a production release.
OMTG_DATAST_005_Keyboard_Cache
Description
This activity is offering a text field to key in data and implements a best practice to deactivate the keyboard cache that would suggest possible inputs.
Intention
To show that input/text fields that ask for sensitive data should have deactivated the keyboard cache to not disclose information.
OMTG_DATAST_011_Memory
Description
This activity is showing how a string is decrypted but the value can only be read if a memory dump is made.
Intention
To show that a memory dump can leak sensitive information like decrypted information or keys.
OMTG_CODING_005_WebView_Remote
Description
This activity is simulating a WebView that is loading a remote page. When the following page is loaded the addJavascriptInterface method in the class OMTG_ENV_005_JS_Interface can be called by the JavaScript embedded in this webpage.
This is a remote test page!
2