DIVA Android - 1.Insecure Logging
DIVA Android - 2.Hardcoding Issues – Part 1
DIVA Android - 3.Insecure Data Storage – Part 1
DIVA Android - 4.Insecure Data Storage – Part 2
DIVA Android - 5.Insecure Data Storage – Part 3
DIVA Android - 6.Insecure Data Storage – Part 4
DIVA Android - 7.Input Validation Issues – Part 1
DIVA Android - 8.Input Validation Issues – Part 2
DIVA Android - 7.Input Validation Issues – Part 1
DIVA Android - 8.Input Validation Issues – Part 2
DIVA Android - 9.Access Control Issues – Part 1
DIVA Android - 10.Access Control Issues – Part 2
DIVA Android - 11.Access Control Issues – Part 3
DIVA Android - 12.Hardcoding Issues – Part 2
DIVA Android - 13.Input Validation Issues – Part 3
「3.Insecure Data Storage – Part 1」對應到的 Activity 是 InsecureDataStorage1Activity,看一下 code 長這樣:DIVA Android - 10.Access Control Issues – Part 2
DIVA Android - 11.Access Control Issues – Part 3
DIVA Android - 12.Hardcoding Issues – Part 2
DIVA Android - 13.Input Validation Issues – Part 3
getDefaultSharedPreferences 這段會取得 preferences 的路徑(/data/data/<package_name>/shared_prefs/<package_name>_preferences.xml),再透過 commit 將值寫入該檔。
Save 後我們看一下剛提到的路徑:/data/data/jakhar.aseem.diva/shared_prefs/,而我們在 jakhar.aseem.diva_preferences.xml 中就能看到剛輸入的帳號密碼。
弱點在於敏感資訊沒有加密。
防範方法:敏感資料應加密後再儲存,且應使用安全的加密方式,詳情參考 NIST。
沒有留言:
張貼留言