MASTG walkthrough - OMTG_DATAST_001_SharedPreferences

• https://github.com/OWASP/MSTG-Hacking-Playground/wiki/Android-App#omtg_datast_001_sharedpreferences
• https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App/app

The intent here is to show that no sensitive information should be stored in Shared Preferences as it is stored by default in clear text.

Take a look at the source code

Line 22 indicates that we should look for a file called “key.xml” in /data/data/sg.vp.owasp_mobile.omtg_android/shared_prefs folder.

Tools used

• https://developer.android.com/studio/command-line/adb
• https://github.com/skylot/jadx