- https://github.com/OWASP/MSTG-Hacking-Playground/wiki/Android-App#omtg_datast_001_externalstorage
- https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App/app
The intent here is to show that storing data on the device itself can lead to disclosure of data. Usage of external storage should not be used for storing information for the app as external storage can be accessed by all Apps and can also be removed which might lead to errors in the app.
Set permissions
Open the app and run activity -> OMTG_DATAST_001_ExternalStorage
Take a look at the source code
Line 36 indicates that we should look for a file called “password.txt” in the external storage (/sdcard)
Connect to the target device via adb and use find
adb shell
find /sdcard/ -name 'password.txt' -type f 2>/dev/null
Tools used