ReddRadar
Agent skill
exploiting-insecure-data-storage-in-mobile
Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including unencrypted databases, world-readable files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment.
Install this agent skill to your Project
npx add-skill https://github.com/autohandai/community-skills/tree/main/exploiting-insecure-data-storage-in-mobile
SKILL.md
Exploiting Insecure Data Storage in Mobile
When to Use
Use this skill when:
- Assessing whether mobile applications store sensitive data securely on the device filesystem
- Testing for credential leakage through SharedPreferences, SQLite databases, or plists
- Evaluating keychain/keystore implementation for proper access control attributes
- Performing data-at-rest security assessment during mobile penetration tests
Do not use this skill on production user devices without authorization -- data extraction techniques require physical access or root/jailbreak privileges.
Prerequisites
- Rooted Android device or emulator with ADB access
- Jailbroken iOS device with SSH access or Objection-patched IPA
- ADB (Android Debug Bridge) for Android filesystem access
- SQLite3 CLI for database inspection
- Frida/Objection for runtime data extraction
- Target application installed and exercised (logged in, data cached)
Workflow
Step 1: Map Application Data Storage Locations
Android storage paths:
# Internal storage (app-private, requires root)
/data/data/<package_name>/
├── shared_prefs/ # SharedPreferences XML files
├── databases/ # SQLite databases
├── files/ # General files
├── cache/ # Cached data
├── lib/ # Native libraries
└── app_webview/ # WebView data
# External storage (world-readable on older Android)
/sdcard/Android/data/<package_name>/
# Check for world-readable files
adb shell run-as <package_name> ls -la /data/data/<package_name>/
iOS storage paths:
# App sandbox (accessible via SSH on jailbroken device)
/var/mobile/Containers/Data/Application/<UUID>/
├── Documents/ # User data, backed up by default
├── Library/
│ ├── Preferences/ # NSUserDefaults plists
│ ├── Caches/ # Cache data
│ └── Application Support/
└── tmp/ # Temporary files
Step 2: Extract and Analyze SharedPreferences (Android)
# Pull SharedPreferences files
adb shell run-as <package_name> cat shared_prefs/*.xml
# Or on rooted device
adb pull /data/data/<package_name>/shared_prefs/ ./shared_prefs/
# Search for sensitive data
grep -ri "password\|token\|secret\|key\|session\|auth\|cookie" shared_prefs/
Common insecure storage patterns:
<!-- Plaintext credentials -->
<string name="user_password">mysecretpass123</string>
<string name="auth_token">eyJhbGciOiJIUzI1NiIs...</string>
<string name="api_key">sk-live-abc123def456</string>
<!-- Sensitive PII -->
<string name="user_ssn">123-45-6789</string>
<string name="credit_card">4111111111111111</string>
Step 3: Analyze SQLite Databases
# Pull databases
adb pull /data/data/<package_name>/databases/ ./databases/
# Open and inspect
sqlite3 databases/app.db
.tables
.schema users
SELECT * FROM users;
SELECT * FROM sessions;
SELECT * FROM tokens;
# Search all tables for sensitive columns
sqlite3 databases/app.db ".dump" | grep -i "password\|token\|secret\|credit"
Check for unencrypted SQLCipher databases:
# If database opens without password, it's unencrypted
sqlite3 databases/app.db "SELECT count(*) FROM sqlite_master;"
# Success = unencrypted (vulnerability)
Step 4: Inspect iOS Keychain Storage
# Using Objection
objection --gadget com.target.app explore
ios keychain dump
# Check protection class attributes
# kSecAttrAccessibleWhenUnlocked - OK for most data
# kSecAttrAccessibleAlways - VULNERABLE: accessible even when locked
# kSecAttrAccessibleAfterFirstUnlock - acceptable for background apps
Step 5: Assess External Storage and Backup Exposure
Android:
# Check if backup is enabled
aapt dump badging target.apk | grep -i "allowBackup"
# android:allowBackup="true" = vulnerability
# Extract backup data
adb backup -f backup.ab -apk <package_name>
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
# Inspect extracted data for sensitive information
# Check external storage
adb shell ls -la /sdcard/Android/data/<package_name>/
iOS:
# Check backup exclusion
# Files in Documents/ are backed up by default
# Check NSURLIsExcludedFromBackupKey attribute
objection --gadget com.target.app explore
ios plist cat Info.plist
Step 6: Runtime Memory Analysis
# Dump process memory for sensitive data
objection --gadget com.target.app explore
memory search "password" --string
memory search "BEGIN RSA PRIVATE KEY" --string
memory dump all /tmp/memdump/
# Android: Check for sensitive data in logs
adb logcat -d | grep -i "password\|token\|key\|secret"
Key Concepts
| Term | Definition |
|---|---|
| SharedPreferences | Android key-value storage in XML format; often misused for storing credentials in plaintext |
| Keychain Services | iOS secure credential storage backed by Secure Enclave hardware on modern devices |
| Android Keystore | Hardware-backed cryptographic key storage on Android; keys cannot be extracted from the device |
| SQLCipher | Transparent encryption extension for SQLite databases; prevents data extraction without password |
| Data Protection API | iOS file-level encryption tied to device passcode; controlled via protection class attributes |
Tools & Systems
- ADB (Android Debug Bridge): Command-line tool for Android device interaction and filesystem access
- Objection: Frida-powered runtime exploration for keychain dumping and memory inspection
- SQLite3: Command-line interface for inspecting unencrypted SQLite databases
- Android Backup Extractor (ABE): Tool for unpacking ADB backup files to inspect stored data
- iExplorer: GUI tool for browsing iOS app sandbox filesystem
Common Pitfalls
- Encrypted but key in code: Some apps encrypt databases but store the encryption key in SharedPreferences or hardcoded in the binary. Always check for key storage alongside encryption.
- MODE_WORLD_READABLE deprecation: This flag was deprecated in API 17, but legacy apps may still use it, making SharedPreferences readable by other apps.
- iOS backup scope: By default, all files in the Documents directory are included in iTunes/iCloud backups. Verify that sensitive files have the backup exclusion attribute set.
- Clipboard exposure: Data copied to clipboard is accessible to all apps. Check if the app copies sensitive data (passwords, tokens) to the clipboard.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
autohandai/community-skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
autohandai/community-skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
autohandai/community-skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
autohandai/community-skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
autohandai/community-skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
autohandai/community-skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?