Penetration Testing Security Vulnerability in moodle mobile app

Penetration Testing Security Vulnerability in moodle mobile app

by Mahesh Koppisetti -
Number of replies: 1

HI Team,

We found some issues while we performing PT Testing on moodle mobile app and found below issues which are security vulnerable. Can someone from forum give their support in fixing these issues so that we can pay and use your service. Thank you.

ISSUE NAME                                     SOLUTION

Unencrypted database files Implement database encryption
Unencrypted shared preferences SharedPreference should be encrypted, to do so there are three ways to do so and they are:
1. Encrypt the whole file with a key.
2. Use the EncryptedSharedPreferences released by Google to encrypt the SharedPreference file, but for this minimum API level should be equal or more than 2
3. Use the third party encryption by the name ‘Secure Preference’.

Regards,

Mahesh K.

Average of ratings: -
In reply to Mahesh Koppisetti

Re: Penetration Testing Security Vulnerability in moodle mobile app

by Juan Leyva -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Hi,

regarding the "Unencrypted shared preferences", this issue is not affecting the app security because we don't store any user sensitive data there, it is used by some native plugins.

regarding the "Unencrypted database files", we have had some discussions regarding the database encryption and it is a really tricky issue. There are several approaches for this (from a technical point of view):
- Generating a key per device, like WhatsApp does, but this is insecure by nature and easy to crack.
- Generating a key at the server level and retrieve it when the user is authenticated, in this case, we will have several problems: the key will still be in memory so it won't be difficult to get it from there, if the key is lost/deleted/removed from the server the user won't be able to access to previously stored data, also the user will be constantly asked to enter his password and, finally, the app will not work offline.

None of the above would work for us, so, unfortunately, right now we have to rely on the Android device security when storing database in the root folder of the app.

The issue with automated tools is that they usually output generic results that indicate where an exploit may be possible, which means the results often contain many false positives and it does not go deep into the root of the problem/issues.

For more information about how we approach security issues: https://docs.moodle.org/310/en/Moodle_app_security
Average of ratings: Useful (4)