NoSQL databases are being widely used these days. Enterprises are widely adapting NoSQL databases such as MongoDB, CouchDB, and so on. These databases have support for mobile applications, too. Similar to any other local storage technique, data when stored using NoSQL databases in an insecure manner is possible to exploit. This section walks through the concepts of how improper usage of NoSQL databases can cause insecure data storage vulnerabilities.
Let's look into this vulnerability using a sample application.
Knowing the functionality of the application is very important to understand the risk it has and enables us to find the risk of the app.
Let's look at a sample application which acts like a password vault. The user provided data is then stored in the form documents in the NoSQL database.
Below is the code snippet used for building the demo application:
String databaseName = "credentials";
Database db;
Manager manager = new Manager(new AndroidContext(this), Manager.DEFAULT_OPTIONS);
try {
db = manager.getDatabase(databaseName);
}
catch (CouchbaseLiteException e){
return;
}
String username=editTextUName.getText().toString();
String password=editTextPasswd.getText().toString();
String serviceName+=editTextService.getText().toString();
Map<String, Object> data = new HashMap<String, Object>();
data.put("username",username);
data.put("password",password);
data.put("service",serviceName);
Document document = db.createDocument();
try {
document.putProperties(data);
}
catch (CouchbaseLiteException e) {
return;
}The above code uses HashMap to hold the name-value pairs to store in the NoSQL database.
Let's install this app on an android device using the following command:
C:> adb install nosqldemo.apk
Once installed, let's insert some username and password data into it. Let's open up the adb shell and visit the data directory to see where the credentials are being stored:
cd data/data/
In our case, the installation directory of the app is at com.example.nosqldemo. Let's cd into it and analyze its file system for some interesting files:
cd com.example.nosqldemo
Running the ls command gives us the following output:
root@t03g:/data/data/com.example.nosqldemo # ls cache files lib
NoSQL is a database technology, as such we were expecting to see the database directory, however, we only see the files directory. The reason for the lack of database directory is that
Couchbase uses the files directory to store the database files.
So, let's navigate to the files directory and again see the files inside it:
root@t03g:/data/data/com.example.nosqldemo/files # ls credentials credentials.cblite credentials.cblite-journal root@t03g:/data/data/com.example.nosqldemo/files #
Couchbase stores its files with the .cblite extension so the credentials.cblite is created by our app.
Just like all other examples, pull the credentials.cblite file to your desktop machine to analyze it for insecure data storage:
root@t03g:/data/data/com.example.nosqldemo/files # pwd /data/data/com.example.nosqldemo/files root@t03g:/data/data/com.example.nosqldemo/files # C:>adb pull /data/data/com.example.nosqldemo/files/carddetails.cblite 1027 KB/s (114688 bytes in 0.108s)
Now that we have the Couchbase file, as it's text format and uses JSON to store the data, we can view it using the strings command. Windows doesn't have the strings command so I have installed Cygwin for Windows and then opened up the Cygwin terminal.
You can download and install Cygwin from https://cygwin.com/install.html:
android@laptop ~ $ strings credentials.cblite | grep 'qwerty' 4-3bb12aee5f548c5bf074e507e8a9ac9f{"username":"alice","password":"qwerty","service":"linkedin"} android@laptop ~
As you can see, username and passwords are stored in clear text and anyone can access this information.
Two other options if you don't want to endure the pain of installing Cygwin is strings.exe from Sysinternals or any hex editor of your choice.