M9: Insecure Data Storage (2024)

Sensitive data stored unencrypted in SharedPreferences, UserDefaults, SQLite databases, or app sandbox. Attackers access data on rooted/jailbroken devices or via backups.

Risk Assessment

Am I Vulnerable?

• Lack of Access Controls: Insufficient access controls within the application may allow unauthorised users or attackers to gain access to sensitive data stored on the device or in databases.
• Inadequate Encryption: Failure to properly encrypt sensitive data can result in unintended data leakage if an attacker gains access to the storage medium.
• Unintentional Data Exposure: Mobile applications may inadvertently expose sensitive data through application logs, error messages, or debug features.
• Poor Session Management: Weak session management can lead to unintended data leakage. If session tokens or user authentication information are not adequately protected, attackers may intercept or manipulate them.
• Insufficient Input Validation: Inadequate input validation and data sanitization can lead to unintended data leakage. Attackers may exploit this weakness to inject malicious scripts or retrieve sensitive data.
• Cloud Storage Misconfigurations: If the mobile application uses cloud storage services and the configurations are mismanaged or misconfigured, it can result in unintended exposure of sensitive data.
• Third-Party Library Vulnerabilities: Insecure third-party libraries used in the mobile application may have vulnerabilities that could lead to unintended data leakage.
• Unintended Data Sharing: Improper handling of data sharing features within the application can result in unintended data leakage to unauthorized recipients.

How Do I Prevent It?

• Use Strong Encryption: Implement robust encryption algorithms and practices to protect sensitive data both at rest and in transit. Use secure key management practices.
• Secure Data Transmission: Utilise secure communication protocols (e.g., HTTPS, SSL/TLS) to protect data during transmission between the mobile application and backend servers.
• Implement Secure Storage Mechanisms: Store sensitive data in secure storage locations that are inaccessible to unauthorised users. Use platform-specific secure storage mechanisms like Keychain (iOS) or Keystore (Android).
• Employ Proper Access Controls: Implement strong access controls to restrict unauthorised access to sensitive data. Authenticate users securely and enforce role-based access controls.
• Validate Input and Sanitize Data: Implement input validation and data sanitization techniques to prevent injection attacks and ensure that only valid and expected data is stored.
• Apply Secure Session Management: Implement secure session management techniques, such as using randomly generated session tokens, setting proper session timeouts, and securely storing session data.
• Regularly Update and Patch Dependencies: Keep all libraries, frameworks, and third-party dependencies up to date, as they may contain security vulnerabilities that could be exploited.
• Stay Informed: Stay up to date with the latest security threats and vulnerabilities in the mobile application landscape. Monitor security forums, security advisories, and platform updates.

Example Attack Scenarios

• Storing Passwords in Plain Text: The mobile application stores user passwords in plain text format within a local database or file, making it easy for an attacker to retrieve and abuse these credentials if they gain unauthorized access to the device.
• Unsecured Local Storage: The mobile application stores sensitive user data, such as personally identifiable information (PII), locally on the device without utilizing proper access controls or encryption. This allows anyone with physical access to the device to extract and view the data.
• Insecure Data Caching: The mobile application caches sensitive data, such as user authentication tokens or session information, without implementing appropriate security measures. If an attacker gains access to the device's cache, they can obtain these credentials and impersonate the user.
• Unprotected Logging: The mobile application logs sensitive data, including user actions, API responses, or error messages, without proper security controls. This can lead to unintentional exposure of sensitive information if an attacker gains access to the device or intercepts the log files.
• Insecure Cloud Storage Configuration: The mobile application utilizes cloud storage services to store user data but misconfigures the storage permissions, allowing unauthorized access to the stored information. This can result in data leakage or unauthorized exposure of sensitive data.
• Improper Handling of Temporary Files: The mobile application creates temporary files to process or store sensitive data, but fails to properly handle and delete these files afterward. This leaves sensitive information exposed and vulnerable to unauthorized access.