Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including unencrypted databases, world-readable files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment.
Use this skill when:
Do not use this skill on production user devices without authorization -- data extraction techniques require physical access or root/jailbreak privileges.
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Android storage paths:
# Internal storage (app-private, requires root)
/data/data/<package_name>/
├── shared_prefs/ # SharedPreferences XML files
├── databases/ # SQLite databases
├── files/ # General files
├── cache/ # Cached data
├── lib/ # Native libraries
└── app_webview/ # WebView data
# External storage (world-readable on older Android)
/sdcard/Android/data/<package_name>/
# Check for world-readable files
adb shell run-as <package_name> ls -la /data/data/<package_name>/
iOS storage paths:
# App sandbox (accessible via SSH on jailbroken device)
/var/mobile/Containers/Data/Application/<UUID>/
├── Documents/ # User data, backed up by default
├── Library/
│ ├── Preferences/ # NSUserDefaults plists
│ ├── Caches/ # Cache data
│ └── Application Support/
└── tmp/ # Temporary files
# Pull SharedPreferences files
adb shell run-as <package_name> cat shared_prefs/*.xml
# Or on rooted device
adb pull /data/data/<package_name>/shared_prefs/ ./shared_prefs/
# Search for sensitive data
grep -ri "password\|token\|secret\|key\|session\|auth\|cookie" shared_prefs/
Common insecure storage patterns:
<!-- Plaintext credentials -->
<string name="user_password">mysecretpass123</string>
<string name="auth_token">eyJhbGciOiJIUzI1NiIs...</string>
<string name="api_key">sk-live-abc123def456</string>
<!-- Sensitive PII -->
<string name="user_ssn">123-45-6789</string>
<string name="credit_card">4111111111111111</string>
# Pull databases
adb pull /data/data/<package_name>/databases/ ./databases/
# Open and inspect
sqlite3 databases/app.db
.tables
.schema users
SELECT * FROM users;
SELECT * FROM sessions;
SELECT * FROM tokens;
# Search all tables for sensitive columns
sqlite3 databases/app.db ".dump" | grep -i "password\|token\|secret\|credit"
Check for unencrypted SQLCipher databases:
# If database opens without password, it's unencrypted
sqlite3 databases/app.db "SELECT count(*) FROM sqlite_master;"
# Success = unencrypted (vulnerability)
# Using Objection
objection --gadget com.target.app explore
ios keychain dump
# Check protection class attributes
# kSecAttrAccessibleWhenUnlocked - OK for most data
# kSecAttrAccessibleAlways - VULNERABLE: accessible even when locked
# kSecAttrAccessibleAfterFirstUnlock - acceptable for background apps
Android:
# Check if backup is enabled
aapt dump badging target.apk | grep -i "allowBackup"
# android:allowBackup="true" = vulnerability
# Extract backup data
adb backup -f backup.ab -apk <package_name>
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
# Inspect extracted data for sensitive information
# Check external storage
adb shell ls -la /sdcard/Android/data/<package_name>/
iOS:
# Check backup exclusion
# Files in Documents/ are backed up by default
# Check NSURLIsExcludedFromBackupKey attribute
objection --gadget com.target.app explore
ios plist cat Info.plist
# Dump process memory for sensitive data
objection --gadget com.target.app explore
memory search "password" --string
memory search "BEGIN RSA PRIVATE KEY" --string
memory dump all /tmp/memdump/
# Android: Check for sensitive data in logs
adb logcat -d | grep -i "password\|token\|key\|secret"
| Term | Definition |
|---|---|
| SharedPreferences | Android key-value storage in XML format; often misused for storing credentials in plaintext |
| Keychain Services | iOS secure credential storage backed by Secure Enclave hardware on modern devices |
| Android Keystore | Hardware-backed cryptographic key storage on Android; keys cannot be extracted from the device |
| SQLCipher | Transparent encryption extension for SQLite databases; prevents data extraction without password |
| Data Protection API | iOS file-level encryption tied to device passcode; controlled via protection class attributes |