Skip to content

Add Tests and Demos about "Sensitive Data Stored Unencrypted via SQLite"#3534

Open
macik09 wants to merge 11 commits into
OWASP:masterfrom
macik09:MASWE-0006-DEMOS
Open

Add Tests and Demos about "Sensitive Data Stored Unencrypted via SQLite"#3534
macik09 wants to merge 11 commits into
OWASP:masterfrom
macik09:MASWE-0006-DEMOS

Conversation

@macik09

@macik09 macik09 commented Nov 25, 2025

Copy link
Copy Markdown
Contributor

Closes #3450

This PR introduces a new demo for the MASVS-STORAGE requirement.

Description

This demo adds MASTG-DEMO-0065 (Sensitive Data in Unencrypted SQLite) to cover the test case MASWE-0006.

The demo proves that sensitive PII (Email) and an Access Token are stored in plaintext using the default Android SQLite API (openOrCreateDatabase). The run.sh script demonstrates that these sensitive contents are trivially accessible from the app's private sandbox on a privileged device.

Files Added:

  • MASTG-DEMO-0065.md: Documentation for the demo.
  • MastgTest.kt: Code snippet showing the vulnerable storage.
  • run.sh: Script to extract the database and generate proof (output.txt).
  • Other required artifacts (output.txt, Manifests, reversed Java).

[x] I have read the contributing guidelines.

@cpholguera cpholguera left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Just 2 comments for now. We'll review it more in depth soon

Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0065/AndroidManifest.xml Outdated
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0065/MASTG-DEMO-0065.md Outdated
@cpholguera

Copy link
Copy Markdown
Collaborator

Important: please remember to always add the Closes #xxxx, in this case Closes #3450 (whenever the PR has a related issue that should be closed by it).

I added it for you at the top of the Description.

@macik09 macik09 force-pushed the MASWE-0006-DEMOS branch 2 times, most recently from d110532 to 77a2a72 Compare November 25, 2025 11:56
@macik09 macik09 changed the title Add MASTG-DEMO-0065 for MASWE-0006 (Unencrypted SQLite storage) Add MASTG-DEMO-0068 for MASWE-0006 (Unencrypted SQLite storage) Nov 25, 2025
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/MASTG-DEMO-0068.md Outdated
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/MASTG-DEMO-0068.md
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/MASTG-DEMO-0068.md Outdated
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/MASTG-DEMO-0068.md Outdated
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/MastgTest.kt Outdated
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/run.sh Outdated
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/run.sh
Comment thread demos/android/MASVS-STORAGE/MASTG-DEMO-0068/run.sh
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@macik09 macik09 force-pushed the MASWE-0006-DEMOS branch 5 times, most recently from 9e8f4fb to 1c402d3 Compare November 27, 2025 12:46
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
type: [static, dynamic]
weakness: MASWE-0006
best-practices: []
best-practices: [MASTG-BEST-0074]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a new MASTG-BEST file for this. I think you just need one for all these PRs where you cover the best practices for MASWE-0006 on Android

  • Title could be "Encrypt Sensitive Data in Private Storage Locations"
  • Sections could include (please elaborate, see other best practice files):
    • Avoid storing sensitive data locally if not required for application functionality to reduce the likelihood and impact of this weakness.

    • Use platform-provided features for encrypting data at rest. For example, on Android, use EncryptedFile or EncryptedSharedPreferences (or equivalent, note that they are actually deprecated).

    • Using envelope encryption with Data Encryption Keys (DEK) and Key Encryption Keys (KEK) or equivalent methods.

      • Examples mentioning SQLite, DataStore, etc.
    • Use libs like SQLCipher

    • etc.

Comment thread tests-beta/android/MASVS-STORAGE/MASTG-TEST-0304.md Outdated
@cpholguera cpholguera changed the title Add MASTG-DEMO-0068 for MASWE-0006 (Unencrypted SQLite storage) Add Tests and Demos about "Sensitive Data Stored Unencrypted via SQLite" Nov 28, 2025
@macik09 macik09 requested a review from cpholguera December 1, 2025 07:30
@cpholguera cpholguera requested a review from Diolor December 1, 2025 19:29
@macik09

macik09 commented Mar 5, 2026

Copy link
Copy Markdown
Contributor Author

Hi @Diolor , @cpholguera – what is the current status of this PR? Is there anything blocking the review process that I can assist with?

alias: encrypt-sensitive-data
id: MASTG-BEST-0025
platform: android
knowledge: [MASTG-KNOW-0036, MASTG-KNOW-0037, MASTG-KNOW-0038, MASTG-KNOW-0041]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MASTG-KNOW-0036 is about enforcing updates. What is the correlation between that KNOW file and this BEST file?

@macik09 macik09 May 4, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While creating this section the IDs were different. MASTG-KNOW-0036 was about storing data using SharedPreferences. I should have used dummy ID. I will modify my PR soon and apply your suggestions.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Java file does not seem to be the Java file resulting from decompiling the DEMO app. As commented previously, follow the DEMO guidelines (https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions/) to provide these files accordingly.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DEMO must follow the content guidelines (https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions).

For example, the "Evaluation" section should explain each relevant line of the output that is used as an evidence to give a FAIL to the test.


## Overview

This test checks at runtime whether sensitive data — tokens, credentials, or PII — is stored in SQLite databases in plaintext. The goal is to verify that data stored in the app's private storage is not left unencrypted.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This test checks at runtime whether sensitive data — tokens, credentials, or PII — is stored in SQLite databases in plaintext. The goal is to verify that data stored in the app's private storage is not left unencrypted.
This test checks at runtime whether sensitive data — tokens, credentials, or PII — is stored in SQLite databases (@MASTG-KNOW-0037) without encryption. The goal is to verify that data stored in the app's private storage is not left unencrypted.

@jacobocasado jacobocasado May 3, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are several comments provided by @cpholguera that are marked as resolved but they are not applied to the last commit. This is one example.

Maybe you resolved them, but after some changes they are overriden. Please check each of the previously provided suggestions and verify that they are applied here (if applicable).


## Steps

1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting a device is not anymore needed for the tests.


1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).

2. Trigger app functionality that processes or stores sensitive data.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. Trigger app functionality that processes or stores sensitive data.
1. Exercise all the functionalities of the app that process or store sensitive data.


2. Trigger app functionality that processes or stores sensitive data.

3. Access the app's private storage to locate SQLite database files (e.g., `.db`, `.sqlite`, `.sqlite3`) (@MASTG-TECH-0008).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. Access the app's private storage to locate SQLite database files (e.g., `.db`, `.sqlite`, `.sqlite3`) (@MASTG-TECH-0008).
2. Access the app's private storage (@MASTG-TECH-0008) to locate SQLite database files (e.g., `.db`, `.sqlite`, `.sqlite3`).


3. Access the app's private storage to locate SQLite database files (e.g., `.db`, `.sqlite`, `.sqlite3`) (@MASTG-TECH-0008).

4. Extract the database files to the host machine using @MASTG-TECH-0003.

@jacobocasado jacobocasado May 3, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Extract the database files to the host machine using @MASTG-TECH-0003.
3. Extract the database files of the app to the host machine (@MASTG-TECH-0002).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MASTG-TECH-0003 is about dumping the APK, but not their associated storage files.


4. Extract the database files to the host machine using @MASTG-TECH-0003.

5. Inspect the database content using dynamic analysis techniques (@MASTG-TECH-0015) to determine if sensitive data is stored in plaintext.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
5. Inspect the database content using dynamic analysis techniques (@MASTG-TECH-0015) to determine if sensitive data is stored in plaintext.
4. Inspect the database content to determine if sensitive data is stored in plaintext.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is not a 1:1 TECH for this step, it's better to just enforce that the databases must be inspected.


## Observation

- Which SQLite databases exist on the device.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Which SQLite databases exist on the device.
- The location of the SQLite database files inside the application's private storage.


## Observation

- Identify SQLite databases created in the code.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Observation must not be "steps" like "identify" or "determine". Observation must declare the output you get after executing all steps and serves as evidence.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


## App Private Storage

The following sandboxed locations (`/data/data/<package>/`) are private but not secure against privileged attackers:

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The following sandboxed locations (`/data/data/<package>/`) are private but not secure against privileged attackers:
All app-private storage under `/data/data/<package>/` is private but not secure against privileged attackers. The following are common locations of the private storage and their common usage:

- `databases` – SQLite databases.
- `shared_prefs` – SharedPreferences.

Because sandbox isolation does not mitigate elevated access, **plaintext sensitive data must not be stored** in these locations.

@jacobocasado jacobocasado May 3, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Because sandbox isolation does not mitigate elevated access, **plaintext sensitive data must not be stored** in these locations.
Under normal Android sandboxing, other apps cannot directly read these files. However, if the app data directory becomes accessible, for example on a rooted or compromised device or through backup extraction, any unencrypted values stored in these locations could be extracted.
Therefore, it's recommended to encrypt the sensitive data, even if it's in the app private storage.

## Observation

- Which SQLite databases exist on the device.
- Whether sensitive data (tokens, secrets, PII) is present in plaintext.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Whether sensitive data (tokens, secrets, PII) is present in plaintext.
- Occurrences inside the SQLite database file where the sensitive data (tokens, secrets, PII) is stored in plaintext.

@jacobocasado jacobocasado left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@macik09 Review done!

Please check https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions/ and also https://mas.owasp.org/contributing/writing-content/mastg-test.instructions/ (for the TEST) and ensure that they are aligned with the instructions!

I also reviewed other PR (#3541) so if you find anything applicable there or here, ensure that both PRs are aligned!

Thanks!

## Observation

- Identify SQLite databases created in the code.
- Determine whether sensitive data is inserted without encryption.

@jacobocasado jacobocasado May 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Determine whether sensitive data is inserted without encryption.
- Whether encryption is being applied in the code to the sensitive data before being stored.


## Evaluation

The test fails if sensitive data is stored in SQLite without encryption and can be read in plaintext through static or dynamic analysis.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The test fails if sensitive data is stored in SQLite without encryption and can be read in plaintext through static or dynamic analysis.
The test fails if sensitive data is stored in SQLite without encryption and can be read in plaintext.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add new Tests and Demo for MASWE-0006 using SQLite

3 participants