It is recommended not to store any sensitive data in device until and unless it is absolutely necessary. As the mobile device’s exposure to external threat is very high as compared to application server. For the requirement of storing the data on physical device, here are some common mistakes and recommendation to keep the data secure.
Classification of Data
- Authentication information like Credentials & PIN
- PII Data
- Device Identifiers
- Compliance related data
- Encryption Keys which are used to protect other data
Storage methods used in Android Platforms
This method stores the data in key-value pairs in the form of XML files. The data stored in Shared Preferences is in cleartext format and if the file permissions are not properly set, the file can be exposed as “World Readable” file.
Check for files inside
/data/data/<package>/shared_prefs directory for with sensitive data after using all functionality in the application. Check for
MODE_WORLD_WRITEABLE in the application source.
Recommendation: It is always recommended not to store sensitive data in Shared Preferences. If using, the data stored should be encrypted with methods like secure-preferences and file permissions should be handled properly.
Data can be saved in the files stored in Internal Storage, this indicated to the
/data/data/<package> directory, which is not accessible by other applications and are removed once the application is uninstalled. As the data is stored in the device storage, it is possible to extract the files in a rooted device.
Check for files inside
/data/data/<package> for sensitive files after using all functionality in the application.
Recommendation: Data stored in the Internal Storage should be encrypted with secure cryptographic methods, as cleartext data can be extracted with physical access.
External Storage can be any storage in the device including phone storage, external cards, drives etc. It is normally used to store non-sensitive files or for functionalities like downloading of data which can be images, videos, audios, pdfs. This files are not deleted even after the application is uninstalled.
Check for permission to
AndroidManifest.xml file, if it is set check for files created by application in all storage devices after using all functionality in the application.
Recommendation: Sensitive data should not be stored in external storage as it can be extracted and read by other applications as well. Also, this files will remain in the device even after the application is removed which increases the threat of data leakage.
SQLite database uses SQL Database engine that stores
.db files in the device at
/data/data/<package>/databases/ directory. The files are by default stored in cleartext format and can be opened with
SQLite Browser to view properly formatted tabular data.
It is possible to encrypt SQLite databases with the help of library
SQLCipher, in this case it should be noted that the password used to encrypt the databases is kept secure.
Check for file inside
/data/data/<package>/databases/ for sensitive data after using all functionality in the application.
Recommendation: Sensitive data should not be stored in cleartext format, after encryption the key/password should be kept safe. Asking the user for password/PIN every time the user opens the application is also a good practice.
Realm databases are stored with
realm file extensions in the
/data/data/<package>/files/, the files are available in cleartext and can be read with Realm Browser.
Check for file inside
/data/data/<package>/files/ for sensitive data after using all functionality in the application.
Recommendation: It is recommend to encrypt the database if any sensitive information is stored. Sensitive data should not be stored in cleartext format, after encryption the key/password should be kept secure.
It is a widely used database service which can be used to store and sync data as per requirement from the cloud server, this database is based on NoSQL and stores the data in JSON format.
Check for firebase misconfigurations like appending
/.json at last of the database URL can provide access to the data in the server, look for any sensitive data.
It is possible to get the firebase URL by reverse engineering the APK either manually or with the help of MobSF.
Encryption of Data
In multiple methods mentioned above, we have found that the data is stored in cleartext format by default and recommendation is to encrypt any sensitive data stored by the application. The encryption used should be cryptographically secure, this OWASP Cheatsheet can help in finding best suitable encryption for you.
Storing Encryption Keys & Passwords
As the data is encrypted it is required to keep the encryption key safe, which means hard-coding the key in source, or storing the key in device itself is not a secure implementation, because with physical access keys can be extracted easily and it will defeat the purpose of encryption. Below are some common ways in which
The encryption keys can be stored on the server side and allowed to be accessed by web services like API requests, in this case application can only be used when device is online.
This is public API used to store and use app private keys, the level of security offered depends on the configuration, hardware and software in use. In a secure hardware the keys are generated and used in Trusted Execution Environment and Secure Element, in which case the operating system can’t access them directly. So the encryption keys can’t be extracted easily even in a rooted device.
To check if hardware is secure
isInsideSecureHardware function can be used from the
In a device with non secure hardware, the implementation is software only in which case it is easy to extract keys in a rooted device. The keys are stored in
In any case the device security (PIN/Password) is used to generate the master key for the process. So KeyStore is unavailable when device is locked or no device security is set.
This is public API used to store and use private keys and respective certificates. This is system-wide, which means every application can access the data inside keychains. It uses device security (PIN/Password) to protect the information stored. It is more convenient when you have multiple application which uses same set of credentials, the android prompts to allow the use the keychains stored credentials in any other application from the user if requested by the application.
As per the above discussed methods, it is highly required to stop the application usage in non secure platform, which can include
- Minimum OS Version
- Rooted Device Protection
- Minimum Device Security
- SSL Pinning Implementation
- Using Secure Hardware