Auditing Local File Storage for the Safeway App

What You Need for This Project


To test an Android app, we'll do these steps:
  1. Install the app
  2. Create an account, so it stores credentials locally
  3. Move all the app's local files to the computer
  4. Search those files to see if it stored sensitive data in plaintext

Installing the Safeway App on the Emulated Phone

Launch Genymotion. Open the Google Play store and install the Safeway app, as shown below.

Creating an Account

From the home page of the app, click "My Card", as shown below:

On the next screen, click Register.

The next screen asks "Do you already have a Safway Club Card?" Click No.

Each student needs to use an unique phone number and email address, but I don't recommend using your personal data for tests like this.

You should use some handy word to label confidential data so we can search for it later--I used "WALRUS". So do this: pick a random four-digit number. Then fill out the next screen with test values, inserting your number where "NNNN" appears below.

Agree to the Terms and Conditions and click Register.

A box asks if you want the browser to remember this password. Click "Not now".

A message says "You have successfully created an account", as shown below.

At the top lect, click the Back-arrow.

Sign in, as shown below.

Now that you are signed in, the app has probably stored some sort of local token to remember who you are. The question before us is what that token is, and where it is stored.

Pulling Local Data From the Phone

On your host machine, open a Terminal window and execute the commands below.

These commands move to the SDK tools directory, create a directory and a subdirectory to put the files in, find the correct path to the Safeway app's local data, and pull it to your computer.


cd Android/Sdk/cd platform-tools

mkdir safe

cd safe

mkdir data

../adb shell ls /data/data | grep safe

cd data

../../adb pull /data/data/

Troubleshooting: Finding ADB

If you are using Ubuntu, the commands above should work. If you are using another OS, the SDK path will be different.

Here are common examples of SDK paths:

  • Ubuntu: /home/user/Android/Sdk
  • Mac: ~/Library/Android/sdk
  • Windows: C:\Users\student\AppData\Local\Android\sdk

Another way to find your SDK path is to open Android Studio and click Tools, Android, "SDK Manager".

NOTE: If you are using Windows, remove the "./" before "adb".

You should see a series of files pulled, as shown below.

Finding Interesting Code with Grep

Execute these commands to search through all the files for interesting data.


grep -air password .

grep -air WALRUS .

grep -air 2323 .

As you can see, the app stored your phone number and email address in plaintext, but your password was converted to a long random-looking number. That's a good practice, assuming that it used some good hashing or encryption method.

The personal data is apparently stored in two XML files: shared_prefs/accountpref.xml and shared_prefs/USER_PROFILE_PREF.xml

It's worth looking at those files in their entirety in a text editor.

Execute this command:

nano shared_prefs/accountpref.xml
As shown below, this file contains two values that appear to be hashed or encrypted, which seems OK.

Press Ctrl+X to exit nano.

Execute this command:

nano shared_prefs/USER_PROFILE_PREF.xml
As shown below, this file contains somewhat personal data in plaintext, but not your password or security question answer.

Testing an Insecure App

You can do this test on any app you like--many of them are foolish and store passwords in plaintext, so anyone who steals your phone can get them.

If you are at Working Connections, there's is a list of known insecure apps in the classroom to try.

Posted 7-16-15 by Sam Bowne