Skip to content

Commit

Permalink
Deployed 52c8b71 with MkDocs version: 1.6.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Unknown committed May 2, 2024
1 parent 5779caf commit 38932a8
Show file tree
Hide file tree
Showing 4 changed files with 101 additions and 2 deletions.
60 changes: 59 additions & 1 deletion MASTG/Android/0x05d-Testing-Data-Storage/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12219,7 +12219,65 @@ <h3 id="realm-databases">Realm Databases<a class="headerlink" href="#realm-datab

<span class="n">Realm</span><span class="w"> </span><span class="n">realm</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Realm</span><span class="p">.</span><span class="na">getInstance</span><span class="p">(</span><span class="n">config</span><span class="p">);</span>
</code></pre></div>
<p>If the database <em>is not</em> encrypted, you should be able to obtain the data. If the database <em>is</em> encrypted, determine whether the key is hard-coded in the source or resources and whether it is stored unprotected in shared preferences or some other location.</p>
<p>Access to the data depends on the encryption: unencrypted databases are easily accessible, while encrypted ones require investigation into how the key is managed - whether it's hardcoded or stored unencrypted in an insecure location such as shared preferences, or securely in the platform's KeyStore (which is best practice).</p>
<p>However, if an attacker has sufficient access to the device (e.g. root access) or can repackage the app, they can still retrieve encryption keys at runtime using tools like Frida. The following Frida script demonstrates how to intercept the Realm encryption key and access the contents of the encrypted database.</p>
<div class="highlight"><pre><span></span><code><span class="s1">&#39;use strict&#39;</span><span class="p">;</span>

<span class="kd">function</span><span class="w"> </span><span class="nx">modulus</span><span class="p">(</span><span class="nx">x</span><span class="p">,</span><span class="w"> </span><span class="nx">n</span><span class="p">){</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="p">((</span><span class="nx">x</span><span class="w"> </span><span class="o">%</span><span class="w"> </span><span class="nx">n</span><span class="p">)</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">n</span><span class="p">)</span><span class="w"> </span><span class="o">%</span><span class="w"> </span><span class="nx">n</span><span class="p">;</span>
<span class="p">}</span>

<span class="kd">function</span><span class="w"> </span><span class="nx">bytesToHex</span><span class="p">(</span><span class="nx">bytes</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kd">var</span><span class="w"> </span><span class="nx">hex</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="nx">bytes</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nx">hex</span><span class="p">.</span><span class="nx">push</span><span class="p">(((</span><span class="nx">bytes</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span><span class="w"> </span><span class="o">&gt;&gt;&gt;</span><span class="w"> </span><span class="mf">4</span><span class="p">)</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mh">0xF</span><span class="p">).</span><span class="nx">toString</span><span class="p">(</span><span class="mf">16</span><span class="p">).</span><span class="nx">toUpperCase</span><span class="p">());</span>
<span class="w"> </span><span class="nx">hex</span><span class="p">.</span><span class="nx">push</span><span class="p">((</span><span class="nx">bytes</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span><span class="w"> </span><span class="o">&amp;</span><span class="w"> </span><span class="mh">0xF</span><span class="p">).</span><span class="nx">toString</span><span class="p">(</span><span class="mf">16</span><span class="p">).</span><span class="nx">toUpperCase</span><span class="p">());</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">hex</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="s2">&quot;&quot;</span><span class="p">);</span>
<span class="p">}</span>

<span class="kd">function</span><span class="w"> </span><span class="nx">b2s</span><span class="p">(</span><span class="nx">array</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;&quot;</span><span class="p">;</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kd">var</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="nx">array</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">result</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nb">String</span><span class="p">.</span><span class="nx">fromCharCode</span><span class="p">(</span><span class="nx">modulus</span><span class="p">(</span><span class="nx">array</span><span class="p">[</span><span class="nx">i</span><span class="p">],</span><span class="w"> </span><span class="mf">256</span><span class="p">));</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">result</span><span class="p">;</span>
<span class="p">}</span>

<span class="c1">// Main Modulus and function.</span>

<span class="k">if</span><span class="p">(</span><span class="nx">Java</span><span class="p">.</span><span class="nx">available</span><span class="p">){</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;Java is available&quot;</span><span class="p">);</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;[+] Android Device.. Hooking Realm Configuration.&quot;</span><span class="p">);</span>

<span class="w"> </span><span class="nx">Java</span><span class="p">.</span><span class="nx">perform</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">RealmConfiguration</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">Java</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="s1">&#39;io.realm.RealmConfiguration&#39;</span><span class="p">);</span>
<span class="w"> </span><span class="k">if</span><span class="p">(</span><span class="nx">RealmConfiguration</span><span class="p">){</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;[++] Realm Configuration is available&quot;</span><span class="p">);</span>
<span class="w"> </span><span class="nx">Java</span><span class="p">.</span><span class="nx">choose</span><span class="p">(</span><span class="s2">&quot;io.realm.Realm&quot;</span><span class="p">,</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">onMatch</span><span class="o">:</span><span class="w"> </span><span class="kd">function</span><span class="p">(</span><span class="nx">instance</span><span class="p">)</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;[==] Opened Realm Database...Obtaining the key...&quot;</span><span class="p">)</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">instance</span><span class="p">);</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">instance</span><span class="p">.</span><span class="nx">getPath</span><span class="p">());</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">instance</span><span class="p">.</span><span class="nx">getVersion</span><span class="p">());</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">encryption_key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">instance</span><span class="p">.</span><span class="nx">getConfiguration</span><span class="p">().</span><span class="nx">getEncryptionKey</span><span class="p">();</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">encryption_key</span><span class="p">);</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;Length of the key: &quot;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">encryption_key</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span><span class="w"> </span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;Decryption Key:&quot;</span><span class="p">,</span><span class="w"> </span><span class="nx">bytesToHex</span><span class="p">(</span><span class="nx">encryption_key</span><span class="p">));</span>

<span class="w"> </span><span class="p">},</span><span class="w"> </span>
<span class="w"> </span><span class="nx">onComplete</span><span class="o">:</span><span class="w"> </span><span class="kd">function</span><span class="p">(</span><span class="nx">instance</span><span class="p">){</span>
<span class="w"> </span><span class="nx">RealmConfiguration</span><span class="p">.</span><span class="nx">$init</span><span class="p">.</span><span class="nx">overload</span><span class="p">(</span><span class="s1">&#39;java.io.File&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;java.lang.String&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;[B&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;long&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.RealmMigration&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;boolean&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.internal.OsRealmConfig$Durability&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.internal.RealmProxyMediator&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.rx.RxObservableFactory&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.coroutines.FlowFactory&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.Realm$Transaction&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;boolean&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;io.realm.CompactOnLaunchCallback&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;boolean&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;long&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;boolean&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;boolean&#39;</span><span class="p">).</span><span class="nx">implementation</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="p">(</span><span class="nx">arg1</span><span class="p">)</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">&quot;[==] Realm onComplete Finished..&quot;</span><span class="p">)</span>

<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>

<span class="w"> </span><span class="p">});</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">});</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="internal-storage">Internal Storage<a class="headerlink" href="#internal-storage" title="Permanent link">&para;</a></h3>
<p>You can save files to the device's <a href="https://developer.android.com/training/data-storage#filesInternal" title="Using Internal Storage">internal storage</a>. Files saved to internal storage are containerized by default and cannot be accessed by other apps on the device. When the user uninstalls your app, these files are removed.
The following code snippets would persistently store sensitive data to internal storage.</p>
Expand Down
Loading

0 comments on commit 38932a8

Please sign in to comment.