In this exercise, the app stores data in Core Data Format. Your task is to locate the CoreData file and find the sensitive data that it contains.
From security point of view, these files are similar to SQLite, with the only difference being that the tables are prefixed with Z.
Once we enter the Username and Password the records are stored successfully.
Let’s see whether user credentials are stored securely or not:
Application Data is usually stored in the below path:
/private/var/mobile/Containers/Data/Application/<AppFolder>
Using Grep command we can easily identify the Appfolder which was created during the App installation as shown below;
Aruns-iPhone:/private/var/mobile/Containers/Data/Application root# find * | grep "iGoat-Swift"464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-shm464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-wal464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.data464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.maps464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/40C53B0C-C237-4741-AF82-5B687097E160464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/94E8BBAA-DDC5-4DAB-93F4-978831FD9922464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/FF62F4DB-5862-49BB-957A-537DFFD1B378464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/4099D0AD-F39B-4C4C-A29F-AA3BE0FF5BA3@2x.ktx464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/4F042730-B3CA-4F80-898A-6C900F998054@2x.ktx464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled/84C3ADC6-8F6A-4EB7-BDE5-E8BDE70FFC10@2x.ktx464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Preferences/OWASP.iGoat-Swift.plist
Now try to access the Core Data Application files using Sqlite3 as shown below;
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root#Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root# lsCoreData.sqlite CoreData.sqlite-shm CoreData.sqlite-walAruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root# sqlite3 CoreData.sqliteSQLite version 3.24.0 2018-06-04 19:24:41Enter ".help" for usage hints.sqlite> .headers ONsqlite> .tablesZUSER Z_METADATA Z_MODELCACHE Z_PRIMARYKEYsqlite> select * from ZUSER;Z_PK|Z_ENT|Z_OPT|ZEMAIL|ZPASSWORD1|1|1|john@test.com|coredbpasswordsqlite>
Notice that all tables starting with prefix Z and the table ZUSER contains the sensitive user credentials stored in plain text.
Although Core Data is easy to use and fast, it should never be used to store sensitive information.