Core Data Storage
Core Data is an object-relational mapping (ORM) that creates a layer between UI & database.Developers prefer Core Data as it is faster in terms of record creation than the traditional SQLite Format.

Task

In this exercise, the app stores data in Core Data Format. Your task is to locate the CoreData file and find the sensitive data that it contains.
From security point of view, these files are similar to SQLite, with the only difference being that the tables are prefixed with Z.
Once we enter the Username and Password the records are stored successfully.
Let’s see whether user credentials are stored securely or not:
Application Data is usually stored in the below path:
1
/private/var/mobile/Containers/Data/Application/<AppFolder>
Copied!
Using Grep command we can easily identify the Appfolder which was created during the App installation as shown below;
1
Aruns-iPhone:/private/var/mobile/Containers/Data/Application root# find * | grep "iGoat-Swift"
2
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift
3
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db
4
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-shm
5
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-wal
6
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal
7
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.data
8
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.maps
9
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData
10
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/40C53B0C-C237-4741-AF82-5B687097E160
11
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/94E8BBAA-DDC5-4DAB-93F4-978831FD9922
12
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/FF62F4DB-5862-49BB-957A-537DFFD1B378
13
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift
14
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/[email protected]
15
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/[email protected]
16
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled
17
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled/[email protected]
18
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Preferences/OWASP.iGoat-Swift.plist
Copied!
Now try to access the Core Data Application files using Sqlite3 as shown below;
1
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root#
2
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root# ls
3
CoreData.sqlite CoreData.sqlite-shm CoreData.sqlite-wal
4
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root# sqlite3 CoreData.sqlite
5
SQLite version 3.24.0 2018-06-04 19:24:41
6
Enter ".help" for usage hints.
7
sqlite> .headers ON
8
sqlite> .tables
9
ZUSER Z_METADATA Z_MODELCACHE Z_PRIMARYKEY
10
sqlite> select * from ZUSER;
11
Z_PK|Z_ENT|Z_OPT|ZEMAIL|ZPASSWORD
12
1|1|1|john@test.com|coredbpassword
13
sqlite>
Copied!
Notice that all tables starting with prefix Z and the table ZUSER contains the sensitive user credentials stored in plain text.
Although Core Data is easy to use and fast, it should never be used to store sensitive information.
Last modified 3yr ago
Copy link