Security Risk: Insecure Data Storage
Learn about vulnerabilities arising from insecure data storage assumptions on mobile devices. Mitigate risks with encryption and adequate storage mechanisms.
Overview
This vulnerability arises when development teams assume that users or malware won't have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Insecure data storage can lead to data loss for users and pose severe business risks, including identity theft, fraud, reputation damage, and violations of external policies.
Description
Vulnerabilities related to insecure data storage occur when development teams assume that users or malware won't have access to a mobile device’s filesystem and the subsequent sensitive information stored on the device. Filesystems are easily accessible, and organizations should anticipate the possibility of a malicious user or malware inspecting sensitive data stores. When data is not adequately protected, specialized tools are all that is required to view application data. This vulnerability can result in data loss, compromised user credentials, and the exposure of other sensitive information.
How to Prevent ?
To mitigate insecure data storage, developers must adhere to best practices. The fundamental rule is to refrain from storing data unless absolutely necessary. Developers should assume that the data is compromised as soon as it touches the device and consider the implications of a jailbreak or root exploit. Encryption should be applied to sensitive information assets, and appropriate storage mechanisms should be used, such as iOS Keychain for iOS apps or SQLcipher for SQLite data encryption on Android. Developers should also avoid solely relying on hardcoded encryption or decryption keys.
Example Attack Scenarios:
Visual Example: iGoat App: The iGoat app serves as a deliberately vulnerable mobile app enabling users to explore insecure data storage vulnerabilities. In one scenario, the user enters their credentials and logs into a fake bank app. Upon navigating the file system, they discover a database named 'credentials.sqlite' that stores their username and credentials in plain text.