seikaikyo/exploiting-insecure-data-storage-in-mobile
external/anthropic-cybersecurity-skills/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md
Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including unencrypted databases, world-readable files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills exploiting-insecure-data-storage-in-mobileInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 5:28 AM159.2s7 files scanned
SKILL.md
- name:
- exploiting-insecure-data-storage-in-mobile
- description:
- Identifies and exploits insecure local data storage vulnerabilities
- domain:
- cybersecurity
- subdomain:
- mobile-security
- author:
- mahipal
- version:
- 1.0.0
- license:
- Apache-2.0
Exploiting Insecure Data Storage in Mobile
When to Use
Use this skill when:
- Assessing whether mobile applications store sensitive data securely on the device filesystem
- Testing for credential leakage through SharedPreferences, SQLite databases, or plists
- Evaluating keychain/keystore implementation for proper access control attributes
- Performing data-at-rest security assessment during mobile penetration tests
Do not use this skill on production user devices without authorization -- data extraction techniques require physical access or root/jailbreak privileges.
Prerequisites
- Rooted Android device or emulator with ADB access
- Jailbroken iOS device with SSH access or Objection-patched IPA
- ADB (Android Debug Bridge) for Android filesystem access
- SQLite3 CLI for database inspection
- Frida/Objection for runtime data extraction
- Target application installed and exercised (logged in, data cached)
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Workflow
Step 1: Map Application Data Storage Locations
Android storage paths:
# Internal storage (app-private, requires root)
/data/data/<package_name>/
├── shared_prefs/ # SharedPreferences XML files
├── databases/ # SQLite databases
├── files/ # General files
├── cache/ # Cached data
├── lib/ # Native libraries
└── app_webview/ # WebView data
# External storage (world-readable on older Android)
/sdcard/Android/data/<package_name>/
# Check for world-readable files
adb shell run-as <package_name> ls -la /data/data/<package_name>/
iOS storage paths:
# App sandbox (accessible via SSH on jailbroken device)
/var/mobile/Containers/Data/Application/<UUID>/
├── Documents/ # User data, backed up by default
├── Library/
│ ├── Preferences/ # NSUserDefaults plists
│ ├── Caches/ # Cache data
│ └── Application Support/
└── tmp/ # Temporary files
Step 2: Extract and Analyze SharedPreferences (Android)
# Pull SharedPreferences files
adb shell run-as <package_name> cat shared_prefs/*.xml
# Or on rooted device
adb pull /data/data/<package_name>/shared_prefs/ ./shared_prefs/
# Search for sensitive data
grep -ri "password\|token\|secret\|key\|session\|auth\|cookie" shared_prefs/
Common insecure storage patterns:
<!-- Plaintext credentials -->
<string name="user_password">mysecretpass123</string>
<string name="auth_token">eyJhbGciOiJIUzI1NiIs...</string>
<string name="api_key">sk-live-abc123def456</string>
<!-- Sensitive PII -->
<string name="user_ssn">123-45-6789</string>
<string name="credit_card">4111111111111111</string>
Step 3: Analyze SQLite Databases
# Pull databases
adb pull /data/data/<package_name>/databases/ ./databases/
# Open and inspect
sqlite3 databases/app.db
.tables
.schema users
SELECT * FROM users;
SELECT * FROM sessions;
SELECT * FROM tokens;
# Search all tables for sensitive columns
sqlite3 databases/app.db ".dump" | grep -i "password\|token\|secret\|credit"
Check for unencrypted SQLCipher databases:
# If database opens without password, it's unencrypted
sqlite3 databases/app.db "SELECT count(*) FROM sqlite_master;"
# Success = unencrypted (vulnerability)
Step 4: Inspect iOS Keychain Storage
# Using Objection
objection --gadget com.target.app explore
ios keychain dump
# Check protection class attributes
# kSecAttrAccessibleWhenUnlocked - OK for most data
# kSecAttrAccessibleAlways - VULNERABLE: accessible even when locked
# kSecAttrAccessibleAfterFirstUnlock - acceptable for background apps
Step 5: Assess External Storage and Backup Exposure
Android:
# Check if backup is enabled
aapt dump badging target.apk | grep -i "allowBackup"
# android:allowBackup="true" = vulnerability
# Extract backup data
adb backup -f backup.ab -apk <package_name>
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar
# Inspect extracted data for sensitive information
# Check external storage
adb shell ls -la /sdcard/Android/data/<package_name>/
iOS:
# Check backup exclusion
# Files in Documents/ are backed up by default
# Check NSURLIsExcludedFromBackupKey attribute
objection --gadget com.target.app explore
ios plist cat Info.plist
Step 6: Runtime Memory Analysis
# Dump process memory for sensitive data
objection --gadget com.target.app explore
memory search "password" --string
memory search "BEGIN RSA PRIVATE KEY" --string
memory dump all /tmp/memdump/
# Android: Check for sensitive data in logs
adb logcat -d | grep -i "password\|token\|key\|secret"
Key Concepts
| Term | Definition | |------|-----------| | SharedPreferences | Android key-value storage in XML format; often misused for storing credentials in plaintext | | Keychain Services | iOS secure credential storage backed by Secure Enclave hardware on modern devices | | Android Keystore | Hardware-backed cryptographic key storage on Android; keys cannot be extracted from the device | | SQLCipher | Transparent encryption extension for SQLite databases; prevents data extraction without password | | Data Protection API | iOS file-level encryption tied to device passcode; controlled via protection class attributes |
Tools & Systems
- ADB (Android Debug Bridge): Command-line tool for Android device interaction and filesystem access
- Objection: Frida-powered runtime exploration for keychain dumping and memory inspection
- SQLite3: Command-line interface for inspecting unencrypted SQLite databases
- Android Backup Extractor (ABE): Tool for unpacking ADB backup files to inspect stored data
- iExplorer: GUI tool for browsing iOS app sandbox filesystem
Common Pitfalls
- Encrypted but key in code: Some apps encrypt databases but store the encryption key in SharedPreferences or hardcoded in the binary. Always check for key storage alongside encryption.
- MODE_WORLD_READABLE deprecation: This flag was deprecated in API 17, but legacy apps may still use it, making SharedPreferences readable by other apps.
- iOS backup scope: By default, all files in the Documents directory are included in iTunes/iCloud backups. Verify that sensitive files have the backup exclusion attribute set.
- Clipboard exposure: Data copied to clipboard is accessible to all apps. Check if the app copies sensitive data (passwords, tokens) to the clipboard.
Related Skills
seikaikyo/performing-soc2-type2-audit-preparation
development
VerifiedTrustedCommunity
Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC 2 Type II certification.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soc-tabletop-exercise
testing
VerifiedTrustedCommunity
Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soap-web-service-security-testing
development
VerifiedTrustedCommunity
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-service-account-credential-rotation
devops
VerifiedTrustedCommunity
Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk.
1SKILL.mdUpdated Jun 13, 2026