Wednesday, 20 January 2016

Chapter 2 : Looking for Vulnerabilities

A new feature was added to the app which records the user's score and saves the file. Now the quiz display's the user's best score for a particular quiz in the quiz selection menu.

I also had to root my phone to test for some vulnerabilities with the current application.Speaking of the obvious vulnerabilities. There are two basic requirements for this app from the security point of view.
  1. App Integrity: When the app is accessed offline the an other app/user should not be able to change or view the data of the app e.g. The user should not be able to view the questions and answers for the quiz.
  2. Device Integrity: User's progress should not be transferable from one device to another. What would happen is one person complete his quiz and shares his files with the other students.
From the perspective of a non-rooted device both the above requirements are met thanks to Android's Access Control Mechanism which treats each app as a separate user , thus an applications data is actually private. But a rooted user or a malicious application do not follow the same rules.

As we know all the application private data is stored in the data/data directory under root, We could use a simple root file explorer(ES File Explorer) available in the Android market to make the changes we require.

Shown below , a rooted user accessing the questions and answers.

The user can also change his scores.

No comments:

Post a Comment