Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The purpose of this test was to verify https://github.com/Path-Check/covid-safe-paths/pull/784 - but also the secure realm db: https://github.com/Path-Check/covid-safe-paths/pull/788

Testing was based on the OWASP principles for testing secure data storage on Android - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md

Device: Android 10 Pixel 3A

MSGSTORAGE-1

Static Review

All of the OWASP principles and checks that were static, e.g code review, were conducted. The only finding was that the AndroidManifest.xml allows logging to external (insecure) storage, but it is not used.

Dynamic Review

Secure Database

I added the below line of code inside the getEncryptionKey() method in RealmSecureStorage.kt

  Log.i(TAG, "Key: " + Base64.decode(existingKeyString, Base64.DEFAULT))

Once this code is built and deployed on a phone, you can view the key in adb logcat.

In my case this was something like: [B@83acf03

This needs to be converted to a 128 character hex string to load the database in Realm Studio, this should be possible with the following python:

import binascii

binascii.hexlify(key.encode('utf-8'))

However, the result is only 20 chars long, not 128.

It was also observed that the key appears different each time the app is reloaded (not redeployed):

05-10 18:27:51.568 3372 3436 I RealmSecureStorage: Key: [B@83acf03
05-10 18:33:52.486 4677 4704 I RealmSecureStorage: Key: [B@a68ccb9
05-10 18:34:09.255 4834 4856 I RealmSecureStorage: Key: [B@311585f

This behaviour doesn’t seem correct, i am probably doing something wrong here as the timestamp on the XML stored encryption key was 1714. I pulled that from shared_prefs and it looked quite different:

l3nwL9nl2V4HAn9Tqm06d1BFifEi9n/RE74L1OhJUqP3TbSXLrMRwFwMfKJK+jivGOrb/HMQGq+n T4+1C3P2kRcyzuqcDwIfo8JpN6j/k5bQcnk66t7HovjT+DuW0HHK6itVoQcrE42em88vb69stTsP 3XtT6lFU23qcMPDCaMBTPfA9KXSdv40k2sVbKNtbf8fyAZNY+Erw6YQHBnd7F/qXjx4/5/F7gf1u l7E44up3iSk9ZgSTImRz28Ud6TL/JXIVLYtXinZ66GkmjxsFDlBnrmsTscdVOcHOZelUBOnh8XYx ieLRgBXJzc7Dy2Jk2qlKmMHp2ZUoE6JDoixrow==

Then, back in python I was able to do

import base64

import binascii

binascii.hexlify(str(key).encode('utf-8'))

However, this gave me 1511 characters… way too many. Possibly there is another level of encrpytion applied to this file.

Legacy Databases

The RKStorage, logback.db and cordova_bg_geolocation.db SQL lite databases were examined.

Potential issue: CROSSED_PATHS still seems to containd data not migrated to the secure databsase

  • No labels