I am running a vulnerable android application on a rooted device using the Genymotion and i am trying to read shared preferences and a file in files directory inside different android application like:
/data/data/xxxx/config.xml and
/data/data/xxx/files/xxxx.xml
i am trying to read this data programmatically using a sample java application to show the data in logcat, but when i try to read the files, i get permission issue on the logcat.
The funny thing is the application is running on a rooted device, so i suppose to have access to other applications sharedpreferences.I need something like this, but show this in the logcat:
https://lightsec.wordpress.com/2014/04/28/android-sharedpreferences-insecure-storage/.
I have also tries this answer, but it does not work:
Android: Retrieving shared preferences of other application
How can i retrieve all the available keys from sharedpreferences and show in logcat?
Both of those links describe using the WORLD_XX constants as in the app you're trying to read from.
Literally no one in the world would use those constants, as they don't want their shared preferences to be read by others. Everyone uses the MODE_PRIVATE constant, so they can't be read by others.
To achieve this, you'll need to do the following:
1) Request Root Access in your app (Having a rooted phone is NOT enough). (A library like RootTools can help you do this)
2) After you get root access, then you have to read the raw .xml file from the file system, and parse it accordingly. Then you can read all the data, and even write to it if you wanted.
Sounds a bit like you're confusing having a rooted phone and your app having root access, those are different things.
Related
I have a Mac Java application that needs to persist data across reboots. The data needs to be saved so that any user has access to it. E.g. an SQLite database file that can be used for all users.
It looks like the /Library/Application Support/ folder is supposed to be used for this, but I'm not able to write to it without making my app run as root or changing the permissions of the file to rwxrwxrwx.
What is the proper way to save application-level data on Mac?
The developer documentation covering this is a bit of a large topic:
https://developer.apple.com/library/Mac/referencelibrary/GettingStarted/GS_DataManagement_MacOSX/_index.html#//apple_ref/doc/uid/TP40009046
https://developer.apple.com/library/mac/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010672
According to the File System Programming guide you should make a specific subdirectory inside /Library/Application\ Support for your app to store app data common to all users on the system. I'd use reverse domain name notation such as com.yourcompany.yourapp or something else unlikely to collide with another app's use of the common directory for this.
You might also look into using an existing app bundler for OS X such as https://bitbucket.org/infinitekind/appbundler rather than hard code paths to file locations.
My Android app uses plain text JSON files to store some data. Such files are saved into the private folder of the app, e.g. Android/data/com.example.app/. I would like to know if my app is vulnerable with such kind of files around. Data in those files are not sensible or secret, and they are not processed by JavaScript (they are parsed with JSON Java methods); I am concerned about some malicious JSON code to be injected and mess with my app or the user's device. Is it possible?
Even if the injected code was not malicious it can cause you problems because:
Others can see and alter the file. (At least with rooted devices)
if the content is altered then you are prone have unexpected results while parsing the file.
You would not want your app related data to be altered by others by any means unless you want it to be (but by using Content Providers.)
I hope it makes sense.
By default, data that you store into the private folder is neither accessible by the user nor by other applications. See the documentation on the Android developers website about this: http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
However, as mentioned by SMR, if a device has been rooted this data is available to the user and might be compromised by any apps that the user has given root permission to.
However it's a minority of users that are actually rooted and those that are should more or less know what they've gotten themselves into and what they're actions can do. It's up to you to decide if it's worth some effort to look out for these special cases.
But by default your data should be safe and sound.
If the data is not that much private then you can put those data in the assets folder and you can access the same. If it is not like that then you can keep it inside the applications data folder
is it possible to create a custom file system or use an existing file system like EncFs to read data inside Android environment.
My idea is to make a virtual filesystem for storing some media files and developing an app which can directly access those files from the filesystem volume.
I hope im clear with my question.!!
Yes, but you need a rooted devices to use it. Or, you need to build your own firmware. Here's one, it's open source: http://nemesis2.qx.net/pages/LUKSManager
I have created an xml file here: /data/data/com.appName/emergency.xml
Now I want to access this file from my desktop.
I am able to access the SD card through my java code. In this case, I think, the file is created in the internal memory of the device. So is it possible to access the file emergency.xml?
if you have a non-rooted device then you can't get that file from your desktop since it is readable only for the "com.appName" app. You can try to do "adb pull /data/data/com.appName/emergency.xml", but that should not work on a normal device.
But if "com.appName" is your app then you can let the app copy the file to a place where you can access it from your desktop (e.g. /sdcard).
Example Code for file copy: http://www.roseindia.net/java/beginners/CopyFile.shtml
Now I know that this works on rooted devices (which you really should probably have if you want to do serious dev work), and I THINK it will work for nonroot devices. Basically you enter the adb shell and then do something like "dd if=/data/data/com.appName/emergency.xml of=/sdcard/emergency.xml". Then you should be able to pull the file with adb pull off the sdcard.
I'm am creating an Android application, but in order to have one of the functionalities working I need to read a predefined xml file whilst only knowing its name, not the R.id..
In normal Java I know I can use
getClass().getClassLoader().getResource(xmlName)
but using the limited Android SDK thats not working, any knows how to solve this?
Use getResources().getIdentifier() from your Context (e.g., Activity), but please cache the result if you will use it more than once. getIdentifier() is implemented on Resources.
From the Data Storage Section in the android developer manual:
If you have a static file to package with your application at compile time, you can save
the file in your project in res/raw/myDataFile, and then open it with
Resources.openRawResource (R.raw.myDataFile). It returns an InputStream object that you can
use to read from the file.