Insecure Data Storage

Overview

This vulnerability occurs when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Insecure data storage can result in data loss for users and pose serious business risks such as identity theft, fraud, reputation damage, and external policy violations.

Description

Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible, and organizations should expect a malicious user or malware to inspect sensitive data stores. When data is not protected properly, specialized tools are all that is needed to view application data. This vulnerability can result in data loss, compromised user credentials, and other sensitive information being exposed.

How to Prevent ?

To prevent insecure data storage, it is important for developers to follow best practices. The cardinal rule is to not store data unless absolutely necessary. Developers should assume that the data is forfeited as soon as it touches the device and consider the implications of a jailbreak or root exploit. Encryption should be applied to sensitive information assets, and appropriate storage mechanisms should be used, such as iOS Keychain for iOS apps or SQLcipher for SQLite data encryption on Android. Developers should also avoid exclusively relying upon hardcoded encryption or decryption keys.

Example Attack Scenarios:

• Visual Example: iGoat App:  The iGoat app is a purposefully vulnerable mobile app that allows users to explore insecure data storage vulnerabilities. In one scenario, the user enters their credentials and logs into a fake bank app. Upon navigating the file system, they discover a database called 'credentials.sqlite' that stores their username and credentials in plain text.