Auditing Local File Storage for the Lumosity App

What You Need for This Project


To test an Android app, we'll do these steps:
  1. Install the app
  2. Create an account, so it stores credentials locally
  3. Move all the app's local files to the computer
  4. Search those files to see if it stored sensitive data in plaintext

Installing the Lumosity App on the Emulated Phone

Launch Genymotion. Open the Google Play store and install the Lumosity app, as shown below.

Creating an Account

Create an accout, as shown below, using the word "WALRUS" in your password, and a custom numerical sequence in your email address, were I used "2323".

Pulling Local Data From the Phone

On your host machine, open a Terminal window and execute the commands below.

These commands move to the SDK tools directory, create a directory and a subdirectory to put the files in, find the correct path to the Safeway app's local data, and pull it to your computer.


cd Android/Sdk/cd platform-tools

mkdir lum

cd lum

mkdir data

../adb shell ls /data/data | grep lum

cd data

../../adb pull /data/data/com.lumoslabs.lumosity

Troubleshooting: Finding ADB

If you are using Ubuntu, the commands above should work. If you are using another OS, the SDK path will be different.

Here are common examples of SDK paths:

  • Ubuntu: /home/user/Android/Sdk
  • Mac: ~/Library/Android/sdk
  • Windows: C:\Users\student\AppData\Local\Android\sdk

Another way to find your SDK path is to open Android Studio and click Tools, Android, "SDK Manager".

NOTE: If you are using Windows, remove the "./" before "adb".

You should see a series of files pulled, as shown below.

Finding Interesting Code with Grep

Execute these commands to search through all the files for interesting data.


grep -air WALRUS .

grep -air 2323 .

grep -air password .

grep -air secret .

As you can see, the app stored your email address in plaintext, but not your password.

The personal data is apparently stored in two XML files: files/77173835/u.dat and /shared_prefs/Lumosity.xml.xml

It's worth looking at those files in their entirety in a text editor.

Execute this command:

nano files/77173835/u.dat
As shown below, this file contains a "login_token" which seems to be random, but nothing obviously confidential--that's OK.

Press Ctrl+X to exit nano.

Execute this command:

nano /shared_prefs/Lumosity.xml.xml
As shown below, this file contains several random tokens, but nothing personal is readable, which is OK.

Posted 7-16-15 by Sam Bowne