10 Mar, 2023

Insecure data storage in mobile apps

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Insecure data storage refers to the practice of storing sensitive or private data in an unsecured or easily accessible manner. In the context of mobile apps, insecure data storage can occur when apps store sensitive user information such as passwords, personal identification information, financial data, or other confidential information on the device’s file system or database without proper encryption or protection.

Mobile apps that store user data insecurely can be vulnerable to hacking, data breaches, or unauthorized access. This can result in the compromise of sensitive user information, identity theft, financial fraud, or other forms of cybercrime.

Example of vulnerable code on different programming languages:


In Java,
a vulnerable code example for insecure data storage in mobile apps could look like this:

				
					private void saveCredentials(String username, String password) {
    try {
        FileOutputStream fos = openFileOutput("credentials.txt", Context.MODE_PRIVATE);
        fos.write(username.getBytes());
        fos.write(password.getBytes());
        fos.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
}

				
			


In the above code, the saveCredentials method is used to store the user’s credentials in a file called “credentials.txt” in the app’s private data directory. However, this code does not use any encryption or hashing techniques to secure the user’s data. Therefore, if an attacker gains access to the device, they can easily retrieve the user’s username and password.

In Swift, a vulnerable code example for insecure data storage in mobile apps could look like this:

				
					func saveCreditCardInfo(cardNumber: String, expirationDate: String, cvv: String) {
    let filePath = getDocumentsDirectory().appendingPathComponent("creditcard.txt")
    do {
        try "\(cardNumber),\(expirationDate),\(cvv)".write(to: filePath, atomically: true, encoding: .utf8)
    } catch {
        print("Error saving credit card info")
    }
}

				
			


In the above code, the saveCreditCardInfo method is used to store the user’s credit card information in a file called “creditcard.txt” in the app’s documents directory. However, this code does not use any encryption or hashing techniques to secure the user’s data. Therefore, if an attacker gains access to the device, they can easily retrieve the user’s credit card information.

In Python, a vulnerable code example for insecure data storage in mobile apps could look like this:

				
					def savePersonalInfo(name, email, phone):
    with open('personalinfo.txt', 'w') as file:
        file.write(name + ',' + email + ',' + phone)

				
			


In the above code, the savePersonalInfo function is used to store the user’s personal information in a file called “personalinfo.txt” in the app’s current directory. However, this code does not use any encryption or hashing techniques to secure the user’s data. Therefore, if an attacker gains access to the device, they can easily retrieve the user’s personal information.

Examples of exploitation Insecure data storage in mobile apps

Credential theft:

An attacker can exploit insecure data storage in mobile apps to steal the user’s login credentials. For instance, if an app stores the user’s username and password in plaintext, an attacker who gains access to the device can easily retrieve the user’s credentials and use them to log in to the user’s account. This can lead to identity theft, financial fraud, or other forms of cybercrime.

Data manipulation:

An attacker can exploit insecure data storage in mobile apps to manipulate the user’s data. For example, if an app stores the user’s financial data without proper encryption, an attacker who gains access to the device can modify the data to transfer money or make unauthorized transactions. This can lead to financial losses and damage to the user’s credit score.

Unauthorized access:

An attacker can exploit insecure data storage in mobile apps to gain unauthorized access to the user’s data. For example, if an app stores the user’s personal information without proper encryption, an attacker who gains access to the device can read or copy the data. This can lead to identity theft, social engineering attacks, or other forms of cybercrime.

Malware installation:

An attacker can exploit insecure data storage in mobile apps to install malware on the device. For instance, if an app stores the user’s data without proper encryption, an attacker who gains access to the device can inject malicious code into the data to execute arbitrary commands or download and install malware. This can lead to complete compromise of the device and the user’s data.

Privilege escalation techniques for Insecure data storage in mobile apps

Rooting or Jailbreaking:

Attackers may try to exploit vulnerabilities in the mobile operating system to gain root or administrator access to the device. This can allow them to bypass app sandboxing and gain access to sensitive data stored by apps, including those that are insecurely stored. Rooting or jailbreaking can also allow attackers to install custom firmware or apps with elevated privileges.

Man-in-the-Middle (MitM) attacks:

Attackers may use MitM attacks to intercept network traffic between the app and the server to steal user data. In the case of insecure data storage, an attacker may intercept data that is transmitted between the app and the server, even if the data is encrypted during transmission. This can allow the attacker to access sensitive data, modify it, or inject malicious code into the app.

Exploiting app vulnerabilities:

Attackers may try to exploit vulnerabilities in the mobile app to gain elevated privileges. For instance, if the app uses insecure data storage, an attacker may be able to exploit a vulnerability in the app to gain access to the data stored by the app. This can allow the attacker to bypass app sandboxing and gain access to sensitive data stored by other apps on the device as well.

Social engineering:

Attackers may use social engineering techniques to trick the user into giving them access to sensitive data or elevated privileges. For instance, an attacker may send a phishing email or message to the user, asking them to enter their login credentials or install a malicious app. This can allow the attacker to gain access to the user’s data and escalate their privileges.

General methodology and checklist for Insecure data storage in mobile apps

Methodology:

  1. Identify the data types and sensitive data: The first step is to identify the types of data that the app stores and the data that is considered sensitive. This can include personal information, login credentials, financial information, and other sensitive data. It’s important to understand how the app stores this data and what encryption or obfuscation techniques are used.

  2. Review the app source code: Next, review the app’s source code to identify any instances of insecure data storage. This can include hardcoded credentials or sensitive data, storing sensitive data in plain text or weakly encrypted format, and storing sensitive data in unsecured shared preferences or external storage.

  3. Use automated testing tools: Use automated testing tools to scan the app for insecure data storage vulnerabilities. These tools can identify common vulnerabilities, such as plaintext storage of credentials or sensitive data, weak encryption, and lack of obfuscation.

  4. Test data in transit: Test how the app handles sensitive data in transit, such as data transmitted over HTTP or unsecured network connections. This can include using network sniffing tools to capture data transmitted between the app and server, and analyzing the data for sensitive information.

  5. Test data at rest: Test how the app stores sensitive data at rest, such as data stored in local storage, shared preferences, or external storage. This can include using file system analysis tools to analyze the app’s data storage and identifying any sensitive data stored in unsecured locations.

  6. Check compliance with relevant standards and guidelines: Check the app’s compliance with relevant standards and guidelines, such as the OWASP Mobile Top Ten and industry-specific security standards. This can help identify any additional vulnerabilities or gaps in the app’s security.

  7. Report and remediate vulnerabilities: Finally, report any identified vulnerabilities to the app developers and provide recommendations for remediation. The developers should prioritize fixing the vulnerabilities based on their severity and potential impact on user data.

Checklist:

  1. Identify sensitive data: Identify the types of sensitive data that the app collects and stores, such as personally identifiable information, financial data, or login credentials.

  2. Review app architecture: Review the app’s architecture and data storage mechanisms to understand how sensitive data is collected, processed, and stored.

  3. Check for hardcoded credentials: Look for instances of hardcoded credentials or sensitive data in the app’s code or configuration files.

  4. Check for plain text storage: Check for instances where sensitive data is stored in plain text, such as in configuration files or databases.

  5. Check for weak encryption: Check for weak encryption methods or algorithms used to store or transmit sensitive data.

  6. Check for insecure storage locations: Check if sensitive data is stored in unsecured locations such as shared preferences, external storage, or local storage.

  7. Test data in transit: Test how the app handles sensitive data in transit, such as data transmitted over HTTP or unsecured network connections.

  8. Test data at rest: Test how the app stores sensitive data at rest, such as data stored in local storage, shared preferences, or external storage.

  9. Check compliance with relevant standards: Check the app’s compliance with relevant standards and guidelines, such as the OWASP Mobile Top Ten or industry-specific security standards.

  10. Analyze app logs: Analyze app logs to identify instances of sensitive data being logged, which can be a potential security risk.

  11. Use automated testing tools: Use automated testing tools to scan the app for insecure data storage vulnerabilities.

  12. Test for bypassing security controls: Test for techniques that may bypass security controls, such as bypassing encryption or using debuggers to inspect sensitive data.

  13. Check for data remnants: Check for remnants of sensitive data left behind on the device after the app is uninstalled.

  14. Verify secure deletion: Verify that sensitive data is securely deleted from the device when the app is uninstalled or when the data is no longer needed.

  15. Report vulnerabilities: Report any identified vulnerabilities to the app developers and provide recommendations for remediation.

Tools set for exploiting Insecure data storage in mobile apps

Automated Tools:

  • OWASP Mobile Security Testing Guide: This is a comprehensive guide that provides a methodology and tools for testing the security of mobile apps. It includes tools for identifying insecure data storage vulnerabilities, such as the Mobile App Security Verification Standard (MASVS).

  • MobSF: MobSF (Mobile Security Framework) is an open-source framework for mobile app security testing. It includes a range of automated testing modules, including a data storage scanner that can identify common insecure data storage vulnerabilities.

  • AndroBugs: AndroBugs is an open-source tool that can automatically scan Android apps for security vulnerabilities, including insecure data storage. It uses static and dynamic analysis techniques to identify vulnerabilities.

  • QARK: QARK (Quick Android Review Kit) is a tool that can automatically scan Android apps for security vulnerabilities, including insecure data storage. It includes a range of tests that can detect common vulnerabilities, such as plaintext storage of credentials.

  • Scout2: Scout2 is a security assessment tool for mobile apps that can automatically scan apps for security vulnerabilities, including insecure data storage. It includes a range of tests that can detect common vulnerabilities, such as storage of sensitive data in unsecured locations.

Manual Testing Tools:

  • Burp Suite: Burp Suite is a popular tool for web application security testing, but it can also be used for mobile app testing. It includes a range of tools that can help to identify insecure data storage vulnerabilities, such as intercepting and analyzing network traffic.

  • Frida: Frida is a dynamic instrumentation toolkit that can be used for mobile app security testing. It allows security professionals to modify the behavior of an app at runtime, which can help to identify insecure data storage vulnerabilities.

  • Apktool: Apktool is a tool that can decompile and disassemble Android apps, which can help to identify insecure data storage vulnerabilities. It can be used to analyze the app’s code and resources, and identify any sensitive data stored in plaintext or unsecured locations.

  • Drozer: Drozer is a framework for Android security testing that can be used to identify insecure data storage vulnerabilities. It includes a range of modules that can be used to identify vulnerabilities, such as the Insecure Data Storage module.

  • Mobexler: Mobexler is a mobile app security testing tool that can be used to identify insecure data storage vulnerabilities. It includes a range of tests that can detect common vulnerabilities, such as storage of sensitive data in unsecured locations.

Browser Plugins:

  • OWASP ZAP: OWASP ZAP (Zed Attack Proxy) is a popular web application security testing tool that includes a range of features for mobile app testing. It includes a range of tools for identifying insecure data storage vulnerabilities, such as intercepting and analyzing network traffic.

  • Postman: Postman is a popular API development and testing tool that can be used for mobile app testing. It includes a range of features for testing API calls, which can help to identify insecure data storage vulnerabilities.

  • Chrome DevTools: Chrome DevTools is a set of web development and debugging tools that can be used for mobile app testing. It includes features for analyzing network traffic, debugging JavaScript code, and inspecting the app’s HTML and CSS.

The Common Weakness Enumeration (CWE)

CWE-312: Cleartext Storage of Sensitive Information: This CWE is related to storing sensitive data in clear text format, which can be easily read by attackers if the data is compromised.

CWE-313: Cleartext Storage in a File or on Disk: This CWE is similar to CWE-312 but specifically refers to storing sensitive data in clear text format in a file or on disk.

CWE-522: Insufficiently Protected Credentials: This CWE is related to storing credentials such as passwords, usernames, or API keys in insecure locations, which can be easily accessed by attackers if the data is compromised.

CWE-523: Unprotected Transport of Credentials: This CWE is related to transmitting credentials over unencrypted channels, which can be intercepted by attackers.

CWE-524: Information Exposure Through Caching: This CWE is related to caching sensitive data in memory or on disk without proper access control, which can be accessed by unauthorized users.

CWE-525: Information Exposure Through an Error Message: This CWE is related to leaking sensitive information through error messages, which can be accessed by unauthorized users.

CWE-526: Information Exposure Through Environment Variables: This CWE is related to storing sensitive data in environment variables, which can be accessed by unauthorized users.

CWE-528: Accessibility Violation: This CWE is related to storing sensitive data in a location that can be accessed by other apps or users on the device, which violates the principle of least privilege.

CWE-937: Improper Control of Filename for Include/Require Statement in PHP Program: This CWE is related to including files in PHP programs without proper validation of the filename, which can lead to inclusion of sensitive data.

CWE-1194: Improper Handling of a Resource Through its Lifetime: This CWE is related to not properly managing the lifecycle of sensitive resources such as cryptographic keys, which can lead to unauthorized access to the data.

Top 5 CVES related to Insecure data storage in mobile apps

CVE-2021-25266 – An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

CVE-2018-6599 – An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.

CVE-2016-10135 – An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices. The MTKLogger app with a package name of com.mediatek.mtklogger has application components that are accessible to any application that resides on the device. Namely, the com.mediatek.mtklogger.framework.LogReceiver and com.mediatek.mtklogger.framework.MTKLoggerService application components are exported since they contain an intent filter, are not protected by a custom permission, and do not explicitly set the android:exported attribute to false. Therefore, these components are exported by default and are thus accessible to any third party application by using android.content.Intent object for communication. These application components can be used to start and stop the logs using Intent objects with embedded data. The available logs are the GPS log, modem log, network log, and mobile log. The base directory that contains the directories for the 4 types of logs is /sdcard/mtklog which makes them accessible to apps that require the READ_EXTERNAL_STORAGE permission. The GPS log contains the GPS coordinates of the user as well as a timestamp for the coordinates. The modem log contains AT commands and their parameters which allow the user’s outgoing and incoming calls and text messages to be obtained. The network log is a tcpdump network capture. The mobile log contains the Android log, which is not available to third-party apps as of Android 4.1. The LG ID is LVE-SMP-160019.

CVE-2014-0647 – The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog. 

CVE-2013-6986 – The ZippyYum Subway CA Kiosk app 3.4 for iOS uses cleartext storage in SQLite cache databases, which allows attackers to obtain sensitive information by reading data elements, as demonstrated by password elements.

Insecure data storage in mobile apps exploits

  • Rooting or jailbreaking the device: Rooting or jailbreaking a device can provide access to sensitive data stored on the device that would otherwise be inaccessible. This can allow attackers to access and extract sensitive information, such as login credentials, financial information, or personal data.

  • Man-in-the-middle (MitM) attacks: MitM attacks can intercept traffic between the mobile app and the server, allowing attackers to steal sensitive data in transit. This can be particularly effective if the app is using unencrypted communication channels or if the attacker is able to compromise the device or network.

  • SQL injection attacks: If a mobile app stores sensitive data in a database, a SQL injection attack can allow attackers to extract data by exploiting vulnerabilities in the app’s code.

  • Credential stuffing attacks: If login credentials are stored insecurely, attackers may be able to extract them and use them in credential stuffing attacks, which involves using automated tools to test the stolen credentials against other websites and services to gain unauthorized access.

  • Debugging or reverse engineering: Debugging or reverse engineering a mobile app can provide insights into how the app stores and handles sensitive data, allowing attackers to identify vulnerabilities and extract data.

  • File system access: If a mobile app stores sensitive data on the device’s file system, an attacker with access to the file system may be able to extract the data by accessing the relevant files.

  • Unauthorized access to backups: If backups of the mobile app data are stored insecurely, attackers may be able to access them and extract sensitive data.

  • Data interception attacks: Data interception attacks involve intercepting data as it is transmitted between the mobile app and the server, allowing attackers to extract sensitive data in transit.

Practicing in test for Insecure data storage in mobile apps

Set up a test environment: Create a test environment that mimics the typical usage of your target mobile app. This can include setting up a mobile device or emulator, installing the app, and configuring the app with sample data.

Perform manual testing: Use manual testing techniques to explore the app and identify potential vulnerabilities related to insecure data storage. This can include examining the app’s file system, testing the app’s data transmission and storage, and exploring the app’s source code if it is available.

Use automated tools: Utilize automated tools to assist with the testing process. There are several commercial and open-source tools available that can help with identifying potential vulnerabilities related to insecure data storage in mobile apps.

Explore known vulnerabilities: Research known vulnerabilities related to insecure data storage in mobile apps and attempt to replicate them in your test environment. This can help you better understand how these vulnerabilities work and how to identify them in real-world scenarios.

Practice exploiting vulnerabilities: Once you have identified potential vulnerabilities, practice exploiting them to gain access to sensitive data. This can include techniques such as rooting or jailbreaking the device, using MitM attacks, or exploiting SQL injection vulnerabilities.

For study Insecure data storage in mobile apps

Read documentation and best practices: Start by reading the official documentation and best practices for mobile app development. Both Google and Apple have comprehensive documentation for their respective platforms that cover important security topics, including data storage.

Take online courses: There are many online courses available that cover mobile app security and specifically, insecure data storage. Some popular platforms for online courses include Udemy, Coursera, and edX.

Read books and articles: There are many books and articles available on the topic of mobile app security, including insecure data storage. Some recommended books on this topic include “Mobile Application Security” by Himanshu Dwivedi and “iOS Application Security” by David Thiel.

Join a community: Joining a community of like-minded individuals can be a great way to learn and stay up-to-date on the latest trends and best practices related to mobile app security. Some popular communities include OWASP, Reddit’s /r/netsec, and various Slack and Discord groups focused on mobile app development and security.

Practice, practice, practice: The best way to develop your skills in insecure data storage in mobile apps is to practice regularly. Set up a test environment and try out different testing techniques and tools. Experiment with different types of vulnerabilities and learn how to exploit them.

Books with review of Insecure data storage in mobile apps

Mobile Application Security by Himanshu Dwivedi – This book covers a wide range of security topics related to mobile applications, including insecure data storage. It provides a comprehensive overview of the security risks associated with mobile applications and offers practical advice for securing mobile apps.

iOS Application Security by David Thiel – This book focuses specifically on iOS application security and covers topics such as data storage, network communication, and application sandboxing. It is a valuable resource for iOS developers and security professionals.

Android Security Internals by Nikolay Elenkov – This book provides an in-depth look at the security architecture of the Android operating system and how it impacts mobile app security. It covers topics such as app permissions, data storage, and network security.

Hacking Exposed Mobile by Lee, Huang, and Reyes – This book provides a comprehensive overview of mobile security threats and countermeasures. It covers topics such as mobile malware, network security, and data storage vulnerabilities.

The Mobile Application Hacker’s Handbook by Dominic Chell, et al. – This book is a practical guide for mobile app security testing and exploitation. It covers topics such as data storage, cryptography, and network security.

Android Security: Attacks and Defenses by William Confer and William Roberts – This book provides a detailed look at the Android security model and how it can be exploited by attackers. It covers topics such as data storage, app permissions, and network security.

Android Forensics: Investigation, Analysis, and Mobile Security for Google Android by Andrew Hoog – This book focuses on the forensic analysis of Android devices and apps, including data storage analysis. It is a valuable resource for forensic investigators and security professionals.

Learning iOS Security by Allister Banks – This book is a practical guide to iOS security and covers topics such as data storage, encryption, and network security. It is a valuable resource for iOS developers and security professionals.

Mobile Security: How to Secure, Privatize, and Recover Your Devices by Tim Speed and Joe Grand – This book provides practical advice for securing mobile devices and apps, including data storage security. It covers topics such as encryption, secure communications, and device hardening.

Mobile Security: A Guide for Users by Katrin and Stefan Schumacher – This book is a guide for users on how to protect themselves and their data on mobile devices. It covers topics such as data storage, device encryption, and secure communications.

List of payloads Insecure data storage in mobile apps

  • Malicious code injection payloads: These payloads can be used to inject malicious code into the application’s storage and execute it to steal data.

  • Large file payloads: These payloads can be used to test if the application can handle large files without crashing or causing other issues.

  • Null byte payloads: These payloads can be used to test if the application is vulnerable to null byte injection attacks.

  • SQL injection payloads: These payloads can be used to test if the application’s database is vulnerable to SQL injection attacks.

  • Path traversal payloads: These payloads can be used to test if the application is vulnerable to path traversal attacks.

  • Cross-site scripting (XSS) payloads: These payloads can be used to test if the application is vulnerable to XSS attacks, which can allow attackers to steal data.

  • Directory traversal payloads: These payloads can be used to test if the application is vulnerable to directory traversal attacks.

  • Buffer overflow payloads: These payloads can be used to test if the application is vulnerable to buffer overflow attacks.

  • Format string payloads: These payloads can be used to test if the application is vulnerable to format string attacks.

  • Local file inclusion payloads: These payloads can be used to test if the application is vulnerable to local file inclusion attacks, which can allow attackers to read sensitive files.

How to be protected from Insecure data storage in mobile apps

  1. Use trusted apps: Only download apps from reputable sources, such as the official app store for your device, and carefully read reviews and ratings before installing any app.

  2. Keep your device and apps updated: Regularly update your device’s operating system and installed apps to ensure that you have the latest security patches.

  3. Use strong passwords: Use unique and complex passwords for your device and app accounts, and consider using a password manager to securely store and manage your passwords.

  4. Avoid public Wi-Fi: Avoid using public Wi-Fi networks, as they can be easily compromised and used to steal your data.

  5. Use encryption: Enable encryption for your device’s storage and use apps that offer encryption for sensitive data, such as passwords and personal information.

  6. Use two-factor authentication: Enable two-factor authentication for your device and app accounts, as this can help prevent unauthorized access to your data.

  7. Be aware of permissions: Be cautious of apps that request excessive permissions or access to sensitive data, and carefully review the permissions requested by each app before installing.

  8. Regularly backup your data: Regularly backup your data to a secure location, such as an encrypted cloud storage service, to ensure that you can recover your data in case of a security breach or device failure.

Conclusion

Insecure data storage in mobile apps is a serious issue that can put users’ sensitive data at risk of unauthorized access or theft. Mobile app developers must implement secure coding practices and follow best practices for data storage, encryption, and access control to prevent these types of vulnerabilities.

Users can also take steps to protect themselves from insecure data storage in mobile apps by using trusted apps, keeping their devices and apps updated, using strong passwords, and being cautious of app permissions and public Wi-Fi networks.

Regular testing and auditing of mobile apps can help identify and address insecure data storage vulnerabilities, and developers should take a proactive approach to security to ensure that their apps are secure and protect user data. By working together, developers and users can help prevent insecure data storage and reduce the risk of data breaches and other security incidents.

Other Services

Ready to secure?

Let's get in touch