M2: Insecure Data Storage

Overview

This JSON response provides information about the OWASP M2: Insecure Data Storage vulnerability. It explains the threat agents, attack vectors, security weakness, technical impacts, and business impacts associated with this vulnerability. The JSON also includes information on how to prevent insecure data storage and provides an example attack scenario. References to the OWASP iOS Developer Cheat Sheet and other external resources are also included.

Description

The M2: Insecure Data Storage vulnerability is a security weakness that occurs when development teams assume that users or malware will not have access to a mobile device's file system and the sensitive information stored on the device. This vulnerability can result in data loss, extraction of sensitive information via mobile malware or modified apps, and various business impacts including identity theft, fraud, reputation damage, and material loss. To prevent insecure data storage, it is important to threat model your mobile app, OS, platforms, and frameworks. This JSON response also includes an example attack scenario demonstrating how credentials can be stored in plain text and accessed by an adversary.

How to Prevent ?

To prevent insecure data storage, threat model your mobile app, OS, platforms, and frameworks. Understand the information assets your app processes and how APIs handle those assets. Pay attention to features such as URL caching, keyboard press caching, copy/paste buffer caching, application backgrounding, intermediate data, logging, HTML5 data storage, browser cookie objects, and analytics data sent to third parties.

Example Attack Scenarios:

• A Visual Example:  In a purposefully vulnerable mobile app called iGoat, credentials are stored in plain text in a database called 'credentials.sqlite'. An attacker who gains access to the file system can easily retrieve the username and credentials stored in the database.