Access Control bypass using Intents with Data – #10 DIVA Solution

As we saw in previous post Access Control bypass using Intents – #9 DIVA Solution Android provides Intents in order to perform any IPC (Inter process communication) to launch some Activity/Service/Broadcast-Receiver. Here you would see along with invoking an Activity how to pass some data via Intents and bypassing Access control over there.   The video […]

Access Control bypass using Intents – #9 DIVA Solution

Android provides Intents in order to perform any IPC (Inter process communication). In easy terms if you want to launch some Activity/Service/Broadcast-Receiver or pass some data you can use Intents. You may want to refer http://nestedif.com/android-development/android-intent/ to get developers view on Intents. Implicit Intent allows user to choose a particular application out of available applications(like what […]

Exploiting Input Validation in Webview – #8 DIVA Solution

Android Webview is component via which developers can provide browsing website access to users within their apps. However embedding webview may turn risky if not properly handled. Since several browsers have capability of running multiple URI schema like ftp, http, https, file, etc. Taking this advantage attacker can exploit webview and can use it to […]

SQLite Injection – Input Validation security risk – #7 DIVA Solution

Android uses SQLite database to save things locally within the device internal memory as managed Relational Database Management System (RDBMS). Majorly used to save app activity or user’s personal details or transaction logs or state of the app by developers. Article unencrypted SQLite DB security risk explained about exploiting database confidentiality over unencrypted DB. In this article […]

Insecure SD Card storage security risk – #6 DIVA Solution

Lack of internal storage and ease of use in terms of portability, Android devices provides option of saving things within external SD card memory storage. Along with flexibility here comes security risk. Since there is no per-app OS protection as we observed for App-Sandbox, any app can easily read-write entire SD card storage. Plus it […]

Temporary Internal File Storage risk – #5 DIVA Solution

Android provides option of saving temporary files locally within the device internal memory. Majorly used to save temporary things like error or transaction logs or app activity or error states by developers. Such Temporary files are saved inside app Sandbox directory i.e.  /data/data/AppPackageName/. If properly not processed then these files might contain sensitive information as […]

Unencrypted SQLite Database security risk – #4 DIVA Solution

Android uses SQLite database to save things locally within the device internal memory as managed Relational Database Management System (RDBMS). Majorly used to save app activity or user’s personal details or transaction logs or state of the app by developers. SQLite Database files by default are saved inside app Sandbox directory i.e.  /data/data/AppPackageName/databases. However many […]

Android Shared Preference Unencrypted Local storage security risk – #3 DIVA Solution

Android Shared Preference are name-value pair saved as XML files. Majorly used to save user’s app preference or user’s details or state of the app by developers. Shared Preference are files which are saved inside directory named shared_prefs present within App Sandbox i.e.  /data/data/AppPackageName/shared_prefs . Being part of Sandbox by default when shared preference is declared in PRIVATE […]

Hard-coding Sensitive Information within Android apk a security risk- #2 DIVA Solution

Many a times developers make mistake of adding sensitive information in Android apps like Encryption keys, passwords, PIN, tokens, development internal information, etc. Sometimes unknowingly or sometimes knowingly to ease up development they store sensitive information within the app. Reverse Engineering is a process of obtaining source code back from compiled binaries like apk (Check out […]

ADB Logcat security risk – #1 DIVA Solution

ADB (Android debug bridge) Logcat is a mechanism via which developers debug through application for proper work flow or to identify crashes. However during times, these code-snippets remains within the released app over the play store which user would install. Risk increases if these logs contains any sensitive information like banking details, user credentials, login/access […]