NinjaXshell/MakeMyTrip_7.2.4_InsecureDataStorage

## MakeMyTrip_7.2.4_InsecureDataStorage
The full advisory (that includes all technical details) can be found below:

Description: Unencrypted storage of confidential information
Affects:     MakeMyTrip version 7.2.4 for Android
Vendor:      MakeMyTrip Android Application
Tested on:   Android v5.1
Severity:    Medium
Discovery:   NinjaXshell

Background
MakeMyTrip is a popular application that is used to book Hotels/Flights and stores various Confidential Informations.
The Android application is advertised to secure all confidential information.

Description
Android application folder was found to contain SQLite database files in the following subdirectory data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the application’s databases. The confidential information can be retrieved from the SQLite databases and stored in cleartext.

Impact
By obtaining access to the file system of an android device, an attacker can retrieve databases from the MakeMyTrip application directory. The information that can be retrieved from the content of entries in the MakeMyTrip.
An attacker can obtain access to the file system of an android device by rooting the device. Consequently, the confidentiality of information that is stored by version 7.2.4 (and possibly earlier versions) of the MAkeMyTrip application is at risk on android devices that can be rooted.

Solution
All confidential information that is stored on the device should be encrypted. If confidential data is stored in a remote location for backup purposes, the copy of the confidential data should also be encrypted.

Recommendation
The local database directly affects the confidentiality of information that is stored using version 7.2.4 of the MakeMyTrip android application. Users of the MakeMyTrip android application are therefore recommended to update the application to a version that solves the described issues or to use an alternative.

References
https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage
	The full advisory (that includes all technical details) can be found below:

	Description: Unencrypted storage of confidential information
	Affects: MakeMyTrip version 7.2.4 for Android
	Vendor: MakeMyTrip Android Application
	Tested on: Android v5.1
	Severity: Medium
	Discovery: NinjaXshell

	Background
	MakeMyTrip is a popular application that is used to book Hotels/Flights and stores various Confidential Informations.
	The Android application is advertised to secure all confidential information.

	Description
	Android application folder was found to contain SQLite database files in the following subdirectory data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the application’s databases. The confidential information can be retrieved from the SQLite databases and stored in cleartext.

	Impact
	By obtaining access to the file system of an android device, an attacker can retrieve databases from the MakeMyTrip application directory. The information that can be retrieved from the content of entries in the MakeMyTrip.
	An attacker can obtain access to the file system of an android device by rooting the device. Consequently, the confidentiality of information that is stored by version 7.2.4 (and possibly earlier versions) of the MAkeMyTrip application is at risk on android devices that can be rooted.

	Solution
	All confidential information that is stored on the device should be encrypted. If confidential data is stored in a remote location for backup purposes, the copy of the confidential data should also be encrypted.

	Recommendation
	The local database directly affects the confidentiality of information that is stored using version 7.2.4 of the MakeMyTrip android application. Users of the MakeMyTrip android application are therefore recommended to update the application to a version that solves the described issues or to use an alternative.

	References
	https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage