| platform | title | apis | type | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
android |
Storing Data in External Locations |
|
|
Android apps utilize a variety of APIs to obtain a file path and save a file. Collecting a comprehensive list of these APIs can be challenging, especially when an app employs a third-party framework, loads code at runtime, or incorporates native code. Therefore, dynamic testing might be the most effective approach to find writing to the external storage.
-
Install the app.
-
Execute a method trace to spawn an app and log all interactions with files.
-
Navigate to the screen of the mobile app that you want to analyse.
-
Close the app to stop
frida-trace
The method trace output contains a list of file locations that your app interacts with. You may need to use adb shell to inspect these files manually.
The test case fails if the files found above are not encrypted and leak sensitive data.
For example, the following output shows sample files that should be manually inspected.
/storage/emulated/0/Android/data/com.example/keys.json
/storage/emulated/0/Android/data/com.example/files/config.xml
/sdcard/secret.txt"