Core Data Storage

Core Data is an object-relational mapping (ORM) that creates a layer between UI & database.Developers prefer Core Data as it is faster in terms of record creation than the traditional SQLite Format.
Task
In this exercise, the app stores data in Core Data Format. Your task is to locate the CoreData file and find the sensitive data that it contains.
From security point of view, these files are similar to SQLite, with the only difference being that the tables are prefixed with Z.
Once we enter the Username and Password the records are stored successfully. 
Let’s see whether user credentials are stored securely or not:
Application Data is usually stored in the below path:
/private/var/mobile/Containers/Data/Application/<AppFolder>
Using Grep command we can easily identify the Appfolder which was created during the App installation as shown below;
Aruns-iPhone:/private/var/mobile/Containers/Data/Application root# find * | grep "iGoat-Swift"
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-shm
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-wal
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.data
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.maps
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/40C53B0C-C237-4741-AF82-5B687097E160
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/94E8BBAA-DDC5-4DAB-93F4-978831FD9922
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/FF62F4DB-5862-49BB-957A-537DFFD1B378
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/4099D0AD-F39B-4C4C-A29F-AA3BE0FF5BA3@2x.ktx
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/4F042730-B3CA-4F80-898A-6C900F998054@2x.ktx
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled/84C3ADC6-8F6A-4EB7-BDE5-E8BDE70FFC10@2x.ktx
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Preferences/OWASP.iGoat-Swift.plist
Now try to access the Core Data Application files using Sqlite3 as shown below; 
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root#
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root# ls
CoreData.sqlite  CoreData.sqlite-shm  CoreData.sqlite-wal
Aruns-iPhone:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Application Support root# sqlite3 CoreData.sqlite
SQLite version 3.24.0 2018-06-04 19:24:41
Enter ".help" for usage hints.
sqlite> .headers ON
sqlite> .tables
ZUSER         Z_METADATA    Z_MODELCACHE  Z_PRIMARYKEY
sqlite> select * from ZUSER;
Z_PK|Z_ENT|Z_OPT|ZEMAIL|ZPASSWORD
1|1|1|john@test.com|coredbpassword
sqlite>
Notice that all tables starting with prefix Z and the table ZUSER contains the sensitive user credentials stored in plain text.
Although Core Data is easy to use and fast, it should never be used to store sensitive information.
Data Protection (Rest)
Plist Storage
Last updated 2 years ago