OWASP Mobile Top 10 Part 2: Insecure Data Storage

Insecure data storage is the second vulnerability in the OWASP Mobile Top 10 list. Insecure data storage comes straight after improper platform usage – such an attack might occur after a malicious party has stolen a mobile device, gained control of a lost mobile device or simply managed to execute some kind of malware on the mobile device of a victim.

What is Insecure Data Storage?

Put simply, insecure data storage refers to, well, insecure storage of data that is then manipulated and abused by an attacker. An attacker can either abuse such a flaw by either having physical access to the device or, as already noted previously, through the use of malicious applications.

How Dangerous is the Insecure Data Storage Vulnerability?

The dangers of the insecure data storage vulnerability are pretty much directly dependent on the application that is vulnerable. For example, as part of one of its releases, Tinder introduced a new feature that was supposed to show people in close proximity to you that are also using the app and by doing so Tinder also retrieved and stored the exact location (the GPS coordinates) of each individual so in this case, the dangers of insecure data storage vulnerability came down to exposed geographical locations of users, in other cases the dangers may be more or less severe. For example, if a mobile application is susceptible to the insecure data storage vulnerability, the vulnerability might reside in SQLite databases, log files, XML, cookie or binary data stores, manifest files or SD cards. Files and data that reside in cloud storage (for example, Dropbox) and are accessed through some kinds of mobile applications, might also be vulnerable to the insecure data storage vulnerability.

In general, the exploiting of such a vulnerability for an attacker is pretty easy. All an adversary needs to do is gain access to a mobile device, then connect it to a computer, then use software that allows him to see stored perfonal information. If the attacker hasn’t got access to a mobile device, he also has an option to simply execute malware on the mobile device of the victim. It’s as easy as that!

How to Protect an Application From Insecure Data Storage?

In general, to protect your mobile application from insecure data storage, consider threat modelling your mobile application, OS, platforms and frameworks you use. Keep an eye on:

• Your databases – the data stored in your SQL databases is obviously one of the primary targets for an attacker. Keep an eye out for it, don’t store unnecessary data in it and if you do grant access to databases, make sure you only grant the necessary privileges for users to complete their actions.
• Log files – log files can obviously also contain some useful information for an attacker.
• XML data stores, binary data stores and cookie stores – those kinds of files should also be reviewed to ensure that they do not store information that isn’t absolutely necessary and that they don’t store sensitive personal information.
• The SD card – the SD card could be one of those points that is often overlooked, but considering how much data an ordinary user has in their phone, the data stored in SD cards could be a goldmine for any attacker. Make sure that your SD card does not include too much sensitive data, also make s If you can, provide an alert to the user informing them about the importance of privacy and security phones.
• The cloud – another crucial points that could provide some “juicy” information to the attacker. Make sure that personal information is not stored in the cloud – if it must be stored, adequately protect it.

Summary

According to OWASP, insecure data storage vulnerability is one of the most dangerous vulnerabilities mobile applications are susceptible to. To avoid introducing such a vulnerability into your mobile applications, keep an eye out on your your databases, log files, data stores, the SD card and the cloud. Also keep in mind that unintended data leakage might also stem from vulnerabilities in your operating system, frameworks in use, new hardware, also rooted or jailbroken devices.

Keep in mind that the threat agents for this vulnerability include an adversary who has attained access to a mobile device or the execution of malware sent by an attacker. Knowing these things in mind should make your mobile applications more secure.