This project only finds the local storage flaw in the Android app.
I tested several other apps from that developer and found that they all had similar flaws. I notified the developer on 1-7-17 and got no response.
I see no reason to bother notifying them again about the iOS vulnerabilities--it's obvious that they don't care.
Register an account with the password
topsecret3-YOURNAME
Relace "YOURNAME" with a version of your name that doesn't contain any spaces.
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the
"List of devices attached",
as shown below.
adb shell
You get a root shell on the Android device,
as shown below.
On Kali, in the Terminal, execute these commands:
cd data
ls -p
You see the files and directories in the
/data/ directory,
as shown below.
On Kali, in the Terminal, execute these commands:
cd data
ls -p
You see the files and directories in the
/data/data/ directory,
as shown below.
Each app has its own directory here. Most of them begin with "com.android" because they are part of the Android operating system, but near the top, you see the com.absmallbusinessmarketing.askalawyer/ directory, highlighted in the image below.
On Kali, in the Terminal, execute these commands:
cd com.absmallbusinessmarketing.askalawyer
ls -p
You see a list of directories in the
/data/data/be.delhaize/ directory,
as shown below.
This is where the "Ask a Lawyer" app stores its local data.
grep pass . -ra
You see the password, containing your name
a list of files and directories in the
/data/data/be.delhaize/ directory,
as shown below.
Capture a full-screen image.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the image with the filename "YOUR NAME Proj 2x", replacing "YOUR NAME" with your real name.