Android Application Security Testing Part-23: Insecure Data Storage

Insecure Data Storage

Threat Agents

·         Mobile Malwares

·         Physical Access to device

Internal Storage

·         Every App data resides in /data/data/ in an Android Device.

·         In each application folders there is a shared_prefs and database folder and several other folders as implemented by application. Files under these folders come under Internal Storage Category. In most of the apps you will find that files in the shared_prefs folder are world readable and even files with sensitive data are Public.

How to Fix

·         Do not use MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes for IPC files because they do not provide the ability to limit data access to particular applications, nor do they provide any control on data format. If you want to share data with other apps then use content provider instead which offers read and write permissions to other apps and can make dynamic permission grants on a case-by-case basis.

·         Avoid exclusively relying upon hardcoded encryption or decryption keys when storing sensitive information assets because those keys can be retrieved after decompiling the app.

·         Consider providing an additional layer of encryption beyond any default encryption mechanisms provided by the operating system.

External Storage

·         Files created on external storage, such as SD Cards, are globally readable and writable. Because external storage can be removed by the user and also modified by any application, you should not store sensitive information using external storage.

·         As with data from any untrusted source, you should perform input validation when handling data from external storage. We strongly recommend that you not store executables or class files on external storage prior to dynamic loading. If your app does retrieve executable files from external storage, the files should be signed and cryptographically verified prior to dynamic loading.