MASTG-DEMO-0010: File System Snapshots from Internal Storage
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Sample¶
The snippet below shows sample code that creates a file on the internal storage using using the filesDir
property of the context object.
MastgTest.kt | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
|
Steps¶
- Install an app on your device.
- Execute
run_before.sh
which runs adb. - Open an app and exercise it to trigger file creations.
- Execute
run_after.sh
. - Close the app once you finish testing.
1 2 3 4 5 6 |
|
1 2 3 4 5 6 7 8 9 10 |
|
Observation¶
There is a list of all created files inside output.txt
.
output.txt | |
---|---|
1 |
|
Their content is inside the ./new_files/
directory and contains:
A password:
new_files/secret.txt | |
---|---|
1 |
|
The file was created in /data/user/0/org.owasp.mastestapp/files/
which is equivalent to /data/data/org.owasp.mastestapp/files/
.
Evaluation¶
This test fails because the file is not encrypted and contains sensitive data (a password). You can further confirm this by reverse engineering the app and inspecting the code.