# Decrypting Bigbasket's Insecure Storage

**Hello Everyone!**

This is my first write-up.

I am **Lohith Gowda M** (Security Engineer). Due to COVID-19, most of the employees got the work-from-home option. It helped me to learn something new in Bug Bounty. I started my bug bounty journey in June 2020.

Working as a Security Engineer and part-time Bug Bounty is a great way to learn something new in this field, and we can also implement it in our daily working life.

I thank my team ([Vishva](https://www.linkedin.com/in/vishva-shankar/), [Harish](https://www.linkedin.com/in/harish-channegowda-231909106/)) and [Hacktify Cybersecurity](https://hacktify.in/) for their support and guidance.

This write-up about the Bigbasket **Insecure Data Storage Vulnerability**

I found one of the Bigbasket apps using `allow backup method=true`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363559932/26499129-ada2-420b-9963-5ba9e45e6807.png align="center")

**What is allow backup flag in Android?**

The `android:allowBackup` attribute defines whether application data can be backed up and restored by a user who has enabled USB debugging. If the backup flag is set to true, it allows an attacker to take the backup of the application data via ADB even if the device is not rooted. Therefore, applications that handle and store sensitive information such as card details, passwords, etc. should have this setting explicitly set to false because by default it is set to true to prevent such risks.

`<application android:allowBackup="false" </application>`

ADB Backup feature is a good tool for backing up all of your files. If it’s enabled, malicious users who have your phone can copy all of the sensitive data for this app on your phone. It was found that if an attacker had access to an unlocked phone, they could take any data from the application’s sandbox through ADB’s backup feature.

If `android:allowBackup="true"` we can easily extract any data from the root storage (Android shared Preferences and Db) if data is not encrypted.

> *Most of the Bug Bounty program will not accept this bug because of its required physical access to the device. But if you got any sensitive data related to the internal infra, report it immediately.*

For this exploitation, I used the Genymotion emulator and Kali Linux for ADB debugging.

1. Installed Genymotion on my machine (Available for `Windows, Linux, and Mac OS`)
    
2. After that, installed the Android device on my emulator `Android v 8.1`
    
3. The setup was completed, and then I installed one of the Big Basket apps on my device.
    
4. I used the following command for debugging the application on Kali Linux.
    

`ADB Connect to the device`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363576532/6d99f9ad-ced7-489f-90a5-43b6a80581ca.png align="left")

`Vrified device is connected or not.`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363590202/7429ee5f-e53d-412f-b4c2-8c7814dfc3b3.png align="left")

`Then I entered the command for backup mobile along with the package name.`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363699997/d7f4091d-fb55-40de-889e-5400e909a9b6.png align="left")

`The backup screen on the device. Please click on backup my data.`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363773954/dcc2b313-b7e1-4fcf-b878-25e626770fa8.png align="left")

Once we confirm, it will create an Android backup file with a `.ab` extension. Usually, the first 24 bytes will be the header. So, we will use the **DD** tool to remove the first 24 bytes and create a tar file of the remaining part. This can be done as shown below (Use the below command for any backup file). Some other **DD** commands are available but sometimes it will not work, so I used this one).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363804450/c7e2e8c4-7e73-43af-b690-938014662ce6.png align="center")

The above command skips the first block from the input file, which is the header part of our Android backup. (This one example file, not the real one, usually will give a large number of records here only `23 bytes`)

Now, create a `.list`file from the tar file we generated in the previous step. This is to ensure proper order when repacking the backup.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363836708/668f3670-0322-4ca5-8b7e-498a23e4fb8e.png align="left")

We should have the following files with us now. (You can give any name for a backup file, but the package name should be the same)

`bountybackup. ab`  - Actual Android backup was taken from the device

`bountybackup.tar`  -  File generated using dd

`bountybackup. list`  -  File generated using the tar file

`We can simply extract the bountybackup.tar file using the following command`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363849225/a0266dd7-11ad-40c6-947f-9f77379e1c20.png align="left")

**Backup File**

1. Once this backup procedure is completed, then we have a new folder named `apps`. We can get into this directory to view the app-specific information.
    
2. Navigate to the package name folder and go to the SP folder.
    

**What is an SP Folder in Android?**

**Android Shared Preferences:** a common component of Android applications  is a set of APIs that manages the developer data of every type, providing a clean way to permanently store and retrieve them from the device. They are used almost in every Android app.

Now We have a `SP` folder that contains the XML file storing our target app data. I found `internal dashboard IP` and `secret tokens` here.

**Here is some POC of my Findings**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363893698/cf7cc512-7ad3-4895-a9c2-589983e084fd.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363908189/6716466a-430e-4a39-8143-2c4d3613d26e.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363918831/b8afd951-ebba-435e-9a0d-3e677d3b2764.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708363945431/d1f78714-2b3c-49a6-aaf3-bdcb7d1c01f5.png align="center")

I’ve been rewarded by their Security team and acknowledged in their [Hall of Fame](https://tech.bigbasket.com/security-at-bigbasket-5eaaa6fa7c89#:~:text=Kshitiz%20Raj-,Lohith%20Gowda%20M,-Magesh%20Baskaran).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708159953072/a42d6071-82c4-423d-b278-47cda5cb07fb.png align="center")

**Report Timeline:**

* Mon, 5 Oct 2020, 01:04  - Bug Reported To Big Basket Security Team.
    
* Tue, 6 Oct 2020, 10:00  - Got First Response from Team
    
* Mon, 12 Oct 2020, 18:25 - Accepted
    
* Tue, 8 Dec 2020, 11:26  -  Bug was Marked fixed
    
* Tue, 8 Dec 2020, 07:38  - Re-tested and confirmed the fix
    
* Fri, 8 Jan 2021, 10:27 -  Rewarded with Bounty + [Hall Of Fame](https://tech.bigbasket.com/security-at-bigbasket-5eaaa6fa7c89#:~:text=Kshitiz%20Raj-,Lohith%20Gowda%20M,-Magesh%20Baskaran)
