From fdd967c7ce0e42a8f698701881d561db89ea615b Mon Sep 17 00:00:00 2001 From: Rezkon Date: Wed, 28 Feb 2024 20:49:21 +1100 Subject: [PATCH 01/14] Added Realm Database Intercept - Android --- Document/0x05d-Testing-Data-Storage.md | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/Document/0x05d-Testing-Data-Storage.md b/Document/0x05d-Testing-Data-Storage.md index 69238899d8..2a6ddec50a 100644 --- a/Document/0x05d-Testing-Data-Storage.md +++ b/Document/0x05d-Testing-Data-Storage.md @@ -178,6 +178,68 @@ Realm realm = Realm.getInstance(config); If the database _is not_ encrypted, you should be able to obtain the data. If the database _is_ encrypted, determine whether the key is hard-coded in the source or resources and whether it is stored unprotected in shared preferences or some other location. +However its quite important to be aware that if the database _is_ encrypted, its often possible to obtain the decryption key at runtime this is because the encryption and decryption keys are identical and are invoked at runtime to facilitate access to the Realm file. The frida script below is demonstrating how to intercept the specific Realm key utilized by the Realm database, allowing for the decryption of encrypted database. + +```javascript + +'use strict'; + +function modulus(x, n){ + return ((x % n) + n) % n; +} + +function bytesToHex(bytes) { + for (var hex = [], i = 0; i < bytes.length; i++) { hex.push(((bytes[i] >>> 4) & 0xF).toString(16).toUpperCase()); + hex.push((bytes[i] & 0xF).toString(16).toUpperCase()); + } + return hex.join(""); +} + +function b2s(array) { + var result = ""; + for (var i = 0; i < array.length; i++) { + result += String.fromCharCode(modulus(array[i], 256)); + } + return result; +} + +// Main Modulus and function. + +if(Java.available){ + console.log("Java is available"); + console.log("[+] Android Device.. Hooking Realm Configuration."); + + Java.perform(function(){ + var RealmConfiguration = Java.use('io.realm.RealmConfiguration'); + if(RealmConfiguration){ + console.log("[++] Realm Configuration is available"); + Java.choose("io.realm.Realm", { + onMatch: function(instance) + { + console.log("[==] Opened Realm Database...Obtaining the key...") + console.log(instance); + console.log(instance.getPath()); + console.log(instance.getVersion()); + var encryption_key = instance.getConfiguration().getEncryptionKey(); + console.log(encryption_key); + console.log("Length of the key: " + encryption_key.length); + console.log("Decryption Key:", bytesToHex(encryption_key)); + + }, + onComplete: function(instance){ + RealmConfiguration.$init.overload('java.io.File', 'java.lang.String', '[B', 'long', 'io.realm.RealmMigration', 'boolean', 'io.realm.internal.OsRealmConfig$Durability', 'io.realm.internal.RealmProxyMediator', 'io.realm.rx.RxObservableFactory', 'io.realm.coroutines.FlowFactory', 'io.realm.Realm$Transaction', 'boolean', 'io.realm.CompactOnLaunchCallback', 'boolean', 'long', 'boolean', 'boolean').implementation = function(arg1) + { + console.log("[==] Realm onComplete Finished..") + + } + } + + }); + } + }); +} +``` + ### Internal Storage You can save files to the device's [internal storage](https://developer.android.com/training/data-storage#filesInternal "Using Internal Storage"). Files saved to internal storage are containerized by default and cannot be accessed by other apps on the device. When the user uninstalls your app, these files are removed. From d3fbfe1134a22726ea75eed825119d9541d2befc Mon Sep 17 00:00:00 2001 From: Rezkon Date: Wed, 28 Feb 2024 20:50:10 +1100 Subject: [PATCH 02/14] Added Realm Database Intercept - Android --- Document/0x05d-Testing-Data-Storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x05d-Testing-Data-Storage.md b/Document/0x05d-Testing-Data-Storage.md index 2a6ddec50a..ebd88a76cf 100644 --- a/Document/0x05d-Testing-Data-Storage.md +++ b/Document/0x05d-Testing-Data-Storage.md @@ -178,7 +178,7 @@ Realm realm = Realm.getInstance(config); If the database _is not_ encrypted, you should be able to obtain the data. If the database _is_ encrypted, determine whether the key is hard-coded in the source or resources and whether it is stored unprotected in shared preferences or some other location. -However its quite important to be aware that if the database _is_ encrypted, its often possible to obtain the decryption key at runtime this is because the encryption and decryption keys are identical and are invoked at runtime to facilitate access to the Realm file. The frida script below is demonstrating how to intercept the specific Realm key utilized by the Realm database, allowing for the decryption of encrypted database. +However its quite important to be aware that if the database _is_ encrypted, its often possible to obtain the decryption key at runtime. This is because the encryption and decryption keys are identical and are invoked at runtime to facilitate access to the Realm file. The frida script below is demonstrating how to intercept the specific Realm key utilized by the Realm database, allowing for the decryption of encrypted database. ```javascript From 69c3a3aa99caffc40cfe2309cfd49055b9c112d6 Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 18:48:39 +1100 Subject: [PATCH 03/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 43 ++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 5ab474c00f..ca051272f0 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,6 +94,49 @@ do { fatalError("Error opening realm: \(error)") } ``` +One critical security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture or manipulate the key. The frida script below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. +``` + +function nsdataToHex(data) { + var hexStr = ''; + for (var i = 0; i < data.length(); i++) { + var byte = Memory.readU8(data.bytes().add(i)); + hexStr += ('0' + (byte & 0xFF).toString(16)).slice(-2); + } + return hexStr; +} + + +function HookRealm() { + if (ObjC.available) { + console.log("ObjC is available. Attempting to intercept Realm classes..."); + const RLMRealmConfiguration = ObjC.classes.RLMRealmConfiguration; + Interceptor.attach(ObjC.classes.RLMRealmConfiguration['- setEncryptionKey:'].implementation, { + onEnter: function(args) { + var encryptionKeyData = new ObjC.Object(args[2]); + console.log(`Encryption Key Length: ${encryptionKeyData.length()}`); + // Hexdump the encryption key + var encryptionKeyBytes = encryptionKeyData.bytes(); + console.log(hexdump(encryptionKeyBytes, { + offset: 0, + length: encryptionKeyData.length(), + header: true, + ansi: true + })); + + // Convert the encryption key bytes to a hex string + var encryptionKeyHex = nsdataToHex(encryptionKeyData); + console.log(`Encryption Key Hex: ${encryptionKeyHex}`); + }, + onLeave: function(retval) { + console.log('Leaving RLMRealmConfiguration.- setEncryptionKey:'); + } + }); + + } + +} +``` #### Couchbase Lite Databases From 5f97f41df45b4635f870819b6aeaab54a7d42444 Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 18:49:09 +1100 Subject: [PATCH 04/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index ca051272f0..b07bd9b9e3 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -95,8 +95,8 @@ do { } ``` One critical security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture or manipulate the key. The frida script below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. -``` +```javascript function nsdataToHex(data) { var hexStr = ''; for (var i = 0; i < data.length(); i++) { @@ -106,7 +106,6 @@ function nsdataToHex(data) { return hexStr; } - function HookRealm() { if (ObjC.available) { console.log("ObjC is available. Attempting to intercept Realm classes..."); From 940ade15e153c4a1bd8419db9c4052e924982751 Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 18:49:47 +1100 Subject: [PATCH 05/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index b07bd9b9e3..9fda10ed06 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,7 +94,7 @@ do { fatalError("Error opening realm: \(error)") } ``` -One critical security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture or manipulate the key. The frida script below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. +One critical security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture or manipulate the key. The frida script below targets the ```RLMRealmConfiguration``` class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. ```javascript function nsdataToHex(data) { From bd3a21cdf2a31e5a2534d1ebe97eab492edf957e Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 18:53:23 +1100 Subject: [PATCH 06/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 9fda10ed06..76dc6cf18c 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,7 +94,7 @@ do { fatalError("Error opening realm: \(error)") } ``` -One critical security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture or manipulate the key. The frida script below targets the ```RLMRealmConfiguration``` class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. +One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script below targets the "```RLMRealmConfiguration```" class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. ```javascript function nsdataToHex(data) { From c7ee0c20a664f454de3ac6bf2f0dabbb1747a69e Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 18:56:27 +1100 Subject: [PATCH 07/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 76dc6cf18c..6672690545 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,7 +94,7 @@ do { fatalError("Error opening realm: \(error)") } ``` -One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script below targets the "```RLMRealmConfiguration```" class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. +One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demostrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. ```javascript function nsdataToHex(data) { From 19d2132d1c937a3a7053ff6c86080cfb4e89b108 Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 18:58:55 +1100 Subject: [PATCH 08/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 6672690545..68cb1c6a53 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,7 +94,7 @@ do { fatalError("Error opening realm: \(error)") } ``` -One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demostrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. +One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demonstrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. ```javascript function nsdataToHex(data) { From 101b0d3e9205c763f3ba6fc1381cf11e42f28ebe Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 19:02:33 +1100 Subject: [PATCH 09/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 68cb1c6a53..f0e2fd4bb9 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,8 +94,10 @@ do { fatalError("Error opening realm: \(error)") } ``` + One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demonstrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. + ```javascript function nsdataToHex(data) { var hexStr = ''; @@ -137,6 +139,7 @@ function HookRealm() { } ``` + #### Couchbase Lite Databases [Couchbase Lite](https://github.com/couchbase/couchbase-lite-ios "Couchbase Lite") is a lightweight, embedded, document-oriented (NoSQL) database engine that can be synced. It compiles natively for iOS and macOS. From 649f20c80e0808d8a192777a43d00cc01e2b7a54 Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 19:05:36 +1100 Subject: [PATCH 10/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index f0e2fd4bb9..20fe8356c3 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -97,7 +97,6 @@ do { One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demonstrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. - ```javascript function nsdataToHex(data) { var hexStr = ''; @@ -139,7 +138,6 @@ function HookRealm() { } ``` - #### Couchbase Lite Databases [Couchbase Lite](https://github.com/couchbase/couchbase-lite-ios "Couchbase Lite") is a lightweight, embedded, document-oriented (NoSQL) database engine that can be synced. It compiles natively for iOS and macOS. From 52c156402c5f42d538d78dde5c42600ca91ec240 Mon Sep 17 00:00:00 2001 From: Luke Symons Date: Wed, 13 Mar 2024 19:08:28 +1100 Subject: [PATCH 11/14] Update 0x06d-Testing-Data-Storage.md --- Document/0x06d-Testing-Data-Storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 20fe8356c3..68cb1c6a53 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,7 +94,6 @@ do { fatalError("Error opening realm: \(error)") } ``` - One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demonstrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. ```javascript From 70b1fe772f525ba3cea4b66235e7b13d0d7b79af Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 2 May 2024 07:41:26 +0200 Subject: [PATCH 12/14] Apply suggestions from code review Co-authored-by: Sven --- Document/0x05d-Testing-Data-Storage.md | 5 +++-- Document/0x06d-Testing-Data-Storage.md | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Document/0x05d-Testing-Data-Storage.md b/Document/0x05d-Testing-Data-Storage.md index ebd88a76cf..8357baeb88 100644 --- a/Document/0x05d-Testing-Data-Storage.md +++ b/Document/0x05d-Testing-Data-Storage.md @@ -176,9 +176,10 @@ Realm realm = Realm.getInstance(config); ``` -If the database _is not_ encrypted, you should be able to obtain the data. If the database _is_ encrypted, determine whether the key is hard-coded in the source or resources and whether it is stored unprotected in shared preferences or some other location. -However its quite important to be aware that if the database _is_ encrypted, its often possible to obtain the decryption key at runtime. This is because the encryption and decryption keys are identical and are invoked at runtime to facilitate access to the Realm file. The frida script below is demonstrating how to intercept the specific Realm key utilized by the Realm database, allowing for the decryption of encrypted database. +Access to the data depends on the encryption: unencrypted databases are easily accessible, while encrypted ones require investigation into how the key is managed - whether it's hardcoded or stored unencrypted in an insecure location such as shared preferences, or securely in the platform's KeyStore (which is best practice). + +However, if an attacker has sufficient access to the device (e.g. root access) or can repackage the app, they can still retrieve encryption keys at runtime using tools like Frida. The following Frida script demonstrates how to intercept the Realm encryption key and access the contents of the encrypted database. ```javascript diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index 68cb1c6a53..dbc95429d7 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -94,7 +94,10 @@ do { fatalError("Error opening realm: \(error)") } ``` -One security concern that warrants attention involves the potential interception or compromise of the encryption key when accessing the Realm database. This arises due to the necessity of supplying the decryption key at runtime, which introduces a window to capture the decryption key. The frida script demonstrated below targets the RLMRealmConfiguration class within the Realm database framework, leveraging its functionality to extract the decryption key. By hooking into this class, the script retrieves the key directly from memory, converting it into a hexadecimal string which then can be used to decrypt the database. + +Access to the data depends on the encryption: unencrypted databases are easily accessible, while encrypted ones require investigation into how the key is managed - whether it's hardcoded or stored unencrypted in an insecure location such as shared preferences, or securely in the platform's KeyStore (which is best practice). + +However, if an attacker has sufficient access to the device (e.g. jailbroken access) or can repackage the app, they can still retrieve encryption keys at runtime using tools like Frida. The following Frida script demonstrates how to intercept the Realm encryption key and access the contents of the encrypted database. ```javascript function nsdataToHex(data) { From cd5726910fc0fb499380e8733f8f7dc4abdf5e36 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 2 May 2024 07:42:45 +0200 Subject: [PATCH 13/14] fix md --- Document/0x05d-Testing-Data-Storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Document/0x05d-Testing-Data-Storage.md b/Document/0x05d-Testing-Data-Storage.md index 8357baeb88..9dd0ade323 100644 --- a/Document/0x05d-Testing-Data-Storage.md +++ b/Document/0x05d-Testing-Data-Storage.md @@ -176,7 +176,6 @@ Realm realm = Realm.getInstance(config); ``` - Access to the data depends on the encryption: unencrypted databases are easily accessible, while encrypted ones require investigation into how the key is managed - whether it's hardcoded or stored unencrypted in an insecure location such as shared preferences, or securely in the platform's KeyStore (which is best practice). However, if an attacker has sufficient access to the device (e.g. root access) or can repackage the app, they can still retrieve encryption keys at runtime using tools like Frida. The following Frida script demonstrates how to intercept the Realm encryption key and access the contents of the encrypted database. From ba9d1e8819096690fc4a907d1a07b19f641c9539 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 2 May 2024 07:44:08 +0200 Subject: [PATCH 14/14] fix md --- Document/0x06d-Testing-Data-Storage.md | 1 - 1 file changed, 1 deletion(-) diff --git a/Document/0x06d-Testing-Data-Storage.md b/Document/0x06d-Testing-Data-Storage.md index dbc95429d7..76c05d2497 100644 --- a/Document/0x06d-Testing-Data-Storage.md +++ b/Document/0x06d-Testing-Data-Storage.md @@ -96,7 +96,6 @@ do { ``` Access to the data depends on the encryption: unencrypted databases are easily accessible, while encrypted ones require investigation into how the key is managed - whether it's hardcoded or stored unencrypted in an insecure location such as shared preferences, or securely in the platform's KeyStore (which is best practice). - However, if an attacker has sufficient access to the device (e.g. jailbroken access) or can repackage the app, they can still retrieve encryption keys at runtime using tools like Frida. The following Frida script demonstrates how to intercept the Realm encryption key and access the contents of the encrypted database. ```javascript