Testing Object Persistence
To test for object persistence being used for storing sensitive information on the device, first identify all instances of object serialization and check if they carry any sensitive data. If yes, check if is properly protected against eavesdropping or unauthorized modification.
There are a few generic remediation steps that you can always take:
- Make sure that sensitive data has been encrypted and HMACed/signed after serialization/persistence. Evaluate the signature or HMAC before you use the data. See the chapter "Android Cryptographic APIs" for more details.
- Make sure that the keys used in step 1 can't be extracted easily. The user and/or application instance should be properly authenticated/authorized to obtain the keys. See the chapter "Data Storage on Android" for more details.
- Make sure that the data within the de-serialized object is carefully validated before it is actively used (e.g., no exploit of business/application logic).
For high-risk applications that focus on availability, we recommend that you use
Serializable only when the serialized classes are stable. Second, we recommend not using reflection-based persistence because
- the attacker could find the method's signature via the String-based argument
- the attacker might be able to manipulate the reflection-based steps to execute business logic.
See the chapter "Android Anti-Reversing Defenses" for more details.
Search the source code for the following keywords:
If you need to counter memory-dumping, make sure that very sensitive information is not stored in the JSON format because you can't guarantee prevention of anti-memory dumping techniques with the standard libraries. You can check for the following keywords in the corresponding libraries:
JSONObject Search the source code for the following keywords:
GSON Search the source code for the following keywords:
- Annotations such as
Jackson Search the source code for the following keywords:
import org.codehaus.jacksonfor the older version.
When you use an ORM library, make sure that the data is stored in an encrypted database and the class representations are individually encrypted before storing it. See the chapters "Data Storage on Android" and "Android Cryptographic APIs" for more details. You can check for the following keywords in the corresponding libraries:
OrmLite Search the source code for the following keywords:
Please make sure that logging is disabled.
SugarORM Search the source code for the following keywords:
- In the AndroidManifest, there will be
meta-dataentries with values such as
Make sure that
QUERY_LOG is set to false.
GreenDAO Search the source code for the following keywords:
ActiveAndroid Search the source code for the following keywords:
Realm Search the source code for the following keywords:
Make sure that appropriate security measures are taken when sensitive information is stored in an Intent via a Bundle that contains a Parcelable. Use explicit Intents and verify proper additional security controls when using application-level IPC (e.g., signature verification, intent-permissions, crypto).
There are several ways to perform dynamic analysis:
- For the actual persistence: Use the techniques described in the data storage chapter.
- For reflection-based approaches: Use Xposed to hook into the deserialization methods or add unprocessable information to the serialized objects to see how they are handled (e.g., whether the application crashes or extra information can be extracted by enriching the objects).