This post covers how to extract or get locally stored data of a application on Android devices which is not rooted. In Mobile Appsec, we have to check for vulnerabilities related locally stored data. For rooted mobiles, it is quite straight forward. We can use even a file manager to dump data.
But for non rooted mobiles, is that not straight forward. Access to /data/data/ , where all the installed applications are, is restricted.
The two ways to extract local data of the application that I know of is:
- Using backup tools
- Using adb (This method uses application backup to extract local data)
I'll be showing how to extract local application data using adb.
I have installed IGLearner application in my mobile for this demo.
Lets start:
Step 1: Set the mobile in debugging mode and connect it to laptop/Computer.
Step 2: Open command prompt and go the folder where adb is present.
Step 3: Before running the actual command, check if your mobile is properly connected by running the command:
adb devices
If your device is listed as above, move to next step. Otherwise, check your cable or debugging mode is enabled properly.
Step 4: Run the following command to initiate application backup:
adb backup -f <filename>.ab -noapk <package name>
-noapk instruct only to back up local data excluding apk file.
<package name> This is name which the application is stored in /data/data folder. This can be obtained in AndroidManifest.xml file of the application as shown below.
Note: A prompt for backing up the data will be poped up in the mobile as shown below. Do not enter any password. Tap on 'BACKUP MY DATA'.
Step 5: After running the command, the file is stored in the same folder as of adb. Mine is named as data.ab. The backup data is in encoded format. This needs to be decoded.
Step 6: To decode the data, start a linux box (I have set it up on VM). Ensure that 'dd' and 'openssl' packages are installed on it. Copy the backup file on Linux box and in terminal, go to the folder where the backup file copied and run the following command:
dd if=<backup_filename_with_extension> bs=24 skip=1|openssl zlib -d > data.tar
Note: If you get any error while running this command, repeat the Step 4 again and run this command on new backup file.
Step 7: The data is now decoded stored as tar ball. Extract the tar ball and now you have got the locally stored data of the application,
Step 8: I have found user credentials stored in one of the dbs that were stored locally by the application. This was obtained in the data obtained using above method.
Hope this assist in your testing. Happy testing.
No comments:
Post a Comment