Auditing Local File Storage for the Lumosity App

What You Need for This Project

A Mac or Linux computer with the Android SDK (in particular, adb)
An Android emulator or device to test the app on

Purpose

To test an Android app, we'll do these steps:

Install the app
Create an account, so it stores credentials locally
Move all the app's local files to the computer
Search those files to see if it stored sensitive data in plaintext

Installing the Lumosity App on the Emulated Phone

Launch Genymotion. Open the Google Play store and install the Lumosity app, as shown below.

Creating an Account

Create an accout, as shown below, using the word "WALRUS" in your password, and a custom numerical sequence in your email address, were I used "2323".

Pulling Local Data From the Phone

On your host machine, open a Terminal window and execute the commands below.

These commands move to the SDK tools directory, create a directory and a subdirectory to put the files in, find the correct path to the Safeway app's local data, and pull it to your computer.

cd cd Android/Sdk/cd platform-tools mkdir lum cd lum mkdir data ../adb shell ls /data/data | grep lum cd data
../../adb pull /data/data/com.lumoslabs.lumosity

Troubleshooting: Finding ADB
If you are using Ubuntu, the commands above should work. If you are using another OS, the SDK path will be different.
Here are common examples of SDK paths:

Ubuntu: /home/user/Android/Sdk
Mac: ~/Library/Android/sdk
Windows: C:\Users\student\AppData\Local\Android\sdk

Another way to find your SDK path is to open Android Studio and click Tools, Android, "SDK Manager".

NOTE: If you are using Windows, remove the "./" before "adb".

You should see a series of files pulled, as shown below.

Finding Interesting Code with Grep

Execute these commands to search through all the files for interesting data.

Explanation:

The -a switch tells grep to search through binary files as well as text files for strings.
The -i switch tells grep to be insensitive to case.
The -r switch tells grep to be search recursively through all subfolders.
The . at the end tells grep to start searching in the current working directory.
You may want to try other keywords, like KEY or ADDRESS, when appropriate for the app you are testing.

grep -air WALRUS . grep -air 2323 . grep -air password .
grep -air secret .

As you can see, the app stored your email address in plaintext, but not your password.

The personal data is apparently stored in two XML files: files/77173835/u.dat and /shared_prefs/Lumosity.xml.xml

It's worth looking at those files in their entirety in a text editor.

Execute this command:

nano files/77173835/u.dat

As shown below, this file contains a "login_token" which seems to be random, but nothing obviously confidential--that's OK.

Press Ctrl+X to exit nano.

Execute this command:

nano /shared_prefs/Lumosity.xml.xml

As shown below, this file contains several random tokens, but nothing personal is readable, which is OK.

Posted 7-16-15 by Sam Bowne