Skip to content

Add Tests and Demos about "Sensitive Data Stored Unencrypted via DataStore"#3540

Open
macik09 wants to merge 7 commits into
OWASP:masterfrom
macik09:feature/mastg-datastore-clean
Open

Add Tests and Demos about "Sensitive Data Stored Unencrypted via DataStore"#3540
macik09 wants to merge 7 commits into
OWASP:masterfrom
macik09:feature/mastg-datastore-clean

Conversation

@macik09

@macik09 macik09 commented Nov 27, 2025

Copy link
Copy Markdown
Contributor

This PR closes #3449
Description

This PR introduces a new demo and finalizes the corresponding test for the MASVS-STORAGE requirement concerning unencrypted data persistence.
This submission specifically addresses data persistence via Jetpack DataStore by adding MASTG-DEMO-0069 and finalizing MASTG-TEST-0305.

The demo proves that sensitive PII (Email) and a secret (Password/Token) are stored in plaintext within the application's DataStore files (.preferences_pb or .proto). This occurs when developers fail to implement an explicit encryption layer, confirming the weakness MASWE-0006.

The included run.sh script demonstrates that these sensitive contents are trivially accessible from the app's private sandbox on a privileged device.

[x] I have read the contributing guidelines.

Comment thread tests-beta/android/MASVS-STORAGE/MASTG-TEST-0305.md Outdated
Comment on lines +22 to +39
### Static Analysis
1. Obtain the application package (e.g., APK file) using @MASTG-TECH-0003.
2. Use a static analysis technique (@MASTG-TECH-0014) to identify references to DataStore APIs such as:
- `androidx.datastore.preferences.preferencesDataStore`
- `androidx.datastore.core.DataStore` (or usage of generated Proto classes).
- `dataStore.edit`, `updateData`, or `write` operations.
3. Inspect the code to determine whether:
- sensitive data is stored using the default, unencrypted implementation.
- a secure mechanism (e.g., applying an `EncryptedFile.Builder` for Preferences DataStore or using an encrypted custom serializer for Proto DataStore) is explicitly applied to the sensitive fields.

### Dynamic Analysis
1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).
2. Trigger app functionality that processes or stores sensitive data.
3. Access the app’s private storage (typically `/data/data/<package_name>/datastore/`) and locate the DataStore files. This requires accessing the app data directories (@MASTG-TECH-0008). File names usually end with:
- `.preferences_pb` (Preferences DataStore)
- `.proto` (Proto DataStore)
4. Extract the DataStore files from the device using @MASTG-TECH-0003.
5. Inspect the file content using a suitable tool, applying the technique for Dynamic Analysis (@MASTG-TECH-0015) to confirm whether sensitive data is stored in plaintext. *Note: Proto DataStore files require a Proto decoder for inspection.*

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For all the new PRs:

We require separate tests.

See for example:

@cpholguera cpholguera changed the title add Demo-0069 and Test-0305 Add Tests and Demos about "Sensitive Data Stored Unencrypted via DataStore" Nov 28, 2025
@macik09
macik09 force-pushed the feature/mastg-datastore-clean branch from 7e31c5f to 57ed186 Compare November 28, 2025 09:20
@macik09
macik09 force-pushed the feature/mastg-datastore-clean branch from 57ed186 to 4a930bc Compare November 28, 2025 09:25

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DEMO must follow the content guidelines (https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions).

For example, the "Evaluation" section should explain each relevant line of the output that is used as an evidence to give a FAIL to the test.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Java file does not seem to be the Java file resulting from decompiling the DEMO app. As commented previously, follow the DEMO guidelines (https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions/) to provide these files accordingly.

echo "[*] Pulling DataStore files directly from app sandbox..."
echo "--- DataStore Extracted Content ---" > "$OUTPUT_TXT_FILE"

# Wyciągamy wszystkie pliki bezpośrednio do strings

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, provide all comments / code lines in English :)


### Sample

The snippet below shows sample code that uses Jetpack DataStore to store sensitive data, including PII (email) and secrets (access token or password), in **plaintext** without encryption.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an open issue #3781 that already shows the need of creating a MASTG-KNOW file that explains Android DataStore, the several storing mechanisms (I see you use two different mechanisms in this DEMO); it would be great if you create the corresponding KNOW file, using the knowledge that you already have by doing this DEMO. This is not needed for this PR and can be done later, but just in case :)

See https://mas.owasp.org/contributing/writing-content/mastg-knowledge.instructions/ for more information on how to craft KNOW files.

title: Sensitive Data Stored Unencrypted via DataStore
platform: android
title: Static Analysis for Unencrypted Sensitive Data in DataStore
id: MASTG-TEST-0305

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a temporal ID to avoid drifts


## Overview

This test verifies whether the app's code uses Jetpack DataStore APIs to store sensitive data — such as tokens, passwords, or PII — without encryption. By default, both Preferences DataStore (`.preferences_pb`) and Proto DataStore (`.proto`) persist data in plaintext.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This test verifies whether the app's code uses Jetpack DataStore APIs to store sensitive data — such as tokens, passwords, or PII — without encryption. By default, both Preferences DataStore (`.preferences_pb`) and Proto DataStore (`.proto`) persist data in plaintext.
This test verifies whether the app's code uses [Jetpack DataStore](https://developer.android.com/jetpack/androidx/releases/datastore) APIs to store sensitive data — such as tokens, passwords, or PII — without encryption. By default, both Preferences DataStore (`.preferences_pb`) and Proto DataStore (`.proto`) persist data in plaintext.

## Observation

- Identify DataStore files referenced in the code.
- Determine whether sensitive data is stored without encryption.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Determine whether sensitive data is stored without encryption.
- Whether encryption is being applied in the code to the sensitive data before being stored.


## Steps

1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting a device is not anymore needed for the tests.


1. Install and run the app on a rooted or emulated device (@MASTG-TECH-0005).

2. Trigger app functionality that processes or stores sensitive data.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
2. Trigger app functionality that processes or stores sensitive data.
1. Exercise all the functionalities of the app that process or store sensitive data.

Comment on lines +22 to +25
3. Access the app's private storage (typically `/data/data/<package_name>/datastore/`) to locate DataStore files:
- `.preferences_pb` (Preferences DataStore)
- `.proto` (Proto DataStore)
(@MASTG-TECH-0008)

@jacobocasado jacobocasado May 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. Access the app's private storage (typically `/data/data/<package_name>/datastore/`) to locate DataStore files:
- `.preferences_pb` (Preferences DataStore)
- `.proto` (Proto DataStore)
(@MASTG-TECH-0008)
2. Access the app's private storage (@MASTG-TECH-0008) to locate DataStore files (normally at `/data/data/<package_name>/datastore/`):
- `.preferences_pb` (Preferences DataStore)
- `.proto` (Proto DataStore)

- `.proto` (Proto DataStore)
(@MASTG-TECH-0008)

4. Extract the DataStore files to the host machine using @MASTG-TECH-0003.

@jacobocasado jacobocasado May 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. Extract the DataStore files to the host machine using @MASTG-TECH-0003.
3. Extract the DataStore files of the app to the host machine (@MASTG-TECH-0002).

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MASTG-TECH-0003 is about dumping the APK, but not their associated storage files.


4. Extract the DataStore files to the host machine using @MASTG-TECH-0003.

5. Inspect file contents using dynamic analysis techniques (@MASTG-TECH-0015) to determine whether sensitive data is stored in plaintext.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
5. Inspect file contents using dynamic analysis techniques (@MASTG-TECH-0015) to determine whether sensitive data is stored in plaintext.
4. Inspect the database content to determine if sensitive data is stored in plaintext.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is not a 1:1 TECH for this step, it's better to just enforce that the databases must be inspected.

4. Extract the DataStore files to the host machine using @MASTG-TECH-0003.

5. Inspect file contents using dynamic analysis techniques (@MASTG-TECH-0015) to determine whether sensitive data is stored in plaintext.
_Note: Proto DataStore files require a Proto decoder for inspection._

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be fine if we create a MASTG-TOOL for this purpose, I think there is not such tool right now.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you don't want to create the MASTG-TOOL file, you can create an issue (like this one #3728) so that we have it tracked.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. I'll create an issue to keep track of it. If it doesn't get picked up by someone else and I find the time, I'll take a stab at implementing the tool myself.

## Observation

- Which DataStore files exist on the device.
- Whether sensitive data (tokens, secrets, PII) is present in plaintext or easily reversible format.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Whether sensitive data (tokens, secrets, PII) is present in plaintext or easily reversible format.
- Occurrences inside the DataStore file where the sensitive data (tokens, secrets, PII) is stored in plaintext.


## Evaluation

The test fails if sensitive data is stored in DataStore files without encryption and can be read in plaintext through static or dynamic analysis.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The test fails if sensitive data is stored in DataStore files without encryption and can be read in plaintext through static or dynamic analysis.
The test fails if sensitive data is stored in DataStore files without encryption and can be read in plaintext.

@jacobocasado jacobocasado left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@macik09 Review done! Please check https://mas.owasp.org/contributing/writing-content/mastg-demo.instructions/ and also https://mas.owasp.org/contributing/writing-content/mastg-test.instructions/ (for the TEST) and ensure that they are aligned with the instructions!

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add new Tests and Demo for MASWE-0006 using DataStore

3 participants