Practical 16

Aim: To exploit insecure data storage vulnerabilities by accessing sensitive information

stored
in the device’s internal or external storage (insecure data storage part 4)

Requirements: Tools: Genymotion

Diva.apk
Jadx
Theory:

 In the DIVA-Beta application, Part 4 of insecure data storage issues focuses on

identifying and mitigating the risks associated with the inadequate protection of
sensitive data. This involves assessing data storage methods to ensure that sensitive
information is encrypted and securely stored, preventing unauthorized access. It also
includes evaluating data retention policies and access controls to address
vulnerabilities that could lead to data breaches or unauthorized retrieval of
confidential information.

Steps:
1. Turn on your genymotion custom build phone.
2. Now open diva-beta application in it.
3. Open Insecure Data Storage Part 4.
4. Now enter username and password and click on save button.

5. Now open JADX tool. Drag and drop diva-apk-file-main folder in it to get all the
details of the diva-beta application in human readable form.
6. Open insecure data storage part 4 folder in JADX tool to understand the code of the
application.
7. After analyzing the source code, we found that the username and password are being
stored in external storage with file name of “.uinfo.txt” to hide file.
8. Now to find that file, open command prompt.
9. After opening cmd, get the shell of the android device using “adb shell” command.
10. Then go to external storage device (here we have sdcard mounted on our device) using
“cd /mnt/sdcard” command and also use “ls” command to list files.

11. We are unable to see “.uinfo.txt” file in ls command because it is hidden.

12. To list all files use “ls -la” command.
13. After finding the “.uinfo.txt” file, read that file using “cat .uinfo.txt” command.
 14. We successfully retrieved the username and password that we had saved previously.

Conclusion:
In this practical, we identified the risks of storing sensitive data in plain text on external
devices, as shown by the filename ".uinfo.txt." This approach exposes confidential
information to unauthorized access. We emphasized the need for secure data storage
solutions, such as encryption and access controls, to protect user privacy and enhance the
application's overall security.
 Practical 17
Aim: To set up the interception of traffic from android device.

Requirements: Tools: Genymotion

Burpsuite

Theory:

The aim of this practical is to set up traffic interception from an Android device using Burp
Suite. By configuring Burp Suite as a proxy, we can capture and analyze HTTP and HTTPS
requests and responses between the device and the server. This enables us to identify
potential vulnerabilities, inspect transmitted data, and assess the security of the application.
Intercepting traffic is crucial for evaluating how the application interacts with backend
services and ensuring sensitive information is handled securely.

Steps:
1. Turn on your genymotion custom build phone.

2. Open Burp Suite and navigate to Proxy >> Proxy Settings. Select the proxy you want
to edit and click on "Edit.".
3. Set “Bind to address” to all interfaces and save the settings.
4. Now open command prompt and find your host device’s IP Address using “ipconfig”
command.

5. Now go to your android device.

6. Navigate to Settings >> Network & Internet >> Internet.
7. Click on setting icon next to “AndroidWifi”.

8. Then click on the pencil icon in the top-right corner.

9. Switch the proxy to manual and enter your host machine’s IP address as the “Proxy
Hostname.” Set “8080” as the “Proxy Port,” then click the save button.
10. Go to burp-suite and enable the interceptor to capture the request.
11. Now open web browser on android device and perform a search, this request will be
captured on burp-suite.

12. Go to the Target tab in Burp Suite to view the complete traffic from the Android
device.
 13. We successfully captured the traffic from android device and intercepted it.

Conclusion:
In this practical, we configured Burp Suite to intercept traffic from an Android device. This
setup allowed us to capture and analyze HTTP and HTTPS requests, helping us identify
vulnerabilities and improve application security. Monitoring traffic provides essential insights
for enhancing web application security.