External storage

Another important storage mechanism in android is SDCARD or external storage where apps can store data. Some of the well-known applications store their data in the external storage. Care should be taken while storing data on SDCARD as it's world writable and readable or better yet simply remove the SDCARD from the device. We can then mount it to another device, for us to access and read the data.

Let's use the earlier example and instead of storing it in the internal storage, the application now stores it on the external storage, that is, the SDCARD:

            String publicKeyFilename = public.key;
            String privateKeyFilename = private.key;

        try{
            GenerateRSAKeys generateRSAKeys = new GenerateRSAKeys();
            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Generate public & private keys
            KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "BC");
            
            //create base64 handler
            BASE64Encoder b64 = new BASE64Encoder();
            
            //Create random number
            SecureRandom rand = secureRandom();
            generator.initialize(2048, rand);
            
            //generate key pair
            KeyPair keyPair = generator.generateKeyPair();
            Key publicKey = keyPair.getPublic();
            Key privateKey = keyPair.getPrivate();
            
            FileOutputStream fos = null;
            
            try {
                //save public key
                file = new File(Environment.getExternalStorageDirectory().getAbsolutePath()+"/vulnApp/",publicKeyFilename);
                fos = new FileOutputStream(file);
                fos.write(b64.encode(publicKey.getEncoded()));
                fos.close();
                
                //save private key
                file = new File(Environment.getExternalStorageDirectory().getAbsolutePath()+"/vulnApp/",privateKeyFilename);
                fos = new FileOutputStream(file);
                fos.write(b64.encode(privateKey.getEncoded()));
                fos.close();
                
                
            } 
            catch (FileNotFoundException e){
                    e.printStackTrace();
            }
            catch (IOException e){
                    e.printStackTrace();
            }    
        }
        catch (Exception e) {
            System.out.println(e);
        }
    }

As we can see, this app uses Environment.getExternalStorageDirectory() to save the private key in the vulnapp directory of SDCARD. So any malicious app can read this key and send it to some remote server on the Internet.

In order for the app to have access to external storage, the preceding code requires WRITE_EXTERNAL_STORAGE permission in the AndroidManifest.xml file:

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.144.56