MASTG-DEMO-0010: File System Snapshots from Internal Storage
Download MASTG-DEMO-0010 APK Open MASTG-DEMO-0010 Folder Build MASTG-DEMO-0010 APK
Sample¶
The snippet below shows sample code that creates a file on the internal storage using using the filesDir
property of the context object.
MastgTest.kt | |
---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
|
Steps¶
- Install an app on your device.
- Execute
run_before.sh
which runs adb. - Open an app and exercise it to trigger file creations.
- Execute
run_after.sh
. - Close the app once you finish testing.
1 2 3 4 5 6 |
|
1 2 3 4 5 6 7 8 9 10 |
|
Observation¶
There is a list of all created files inside output.txt
.
output.txt | |
---|---|
1 |
|
Their content is inside the ./new_files/
directory and contains:
A password:
new_files/secret.txt | |
---|---|
1 |
|
The file was created in /data/user/0/org.owasp.mastestapp/files/
which is equivalent to /data/data/org.owasp.mastestapp/files/
.
Evaluation¶
This test fails because the file is not encrypted and contains sensitive data (a password). You can further confirm this by reverse engineering the app and inspecting the code.