Insecure data storage vulnerabilities emerge when development teams presume that users or malware would not have access to a mobile device’s filesystem and, as a result, sensitive data in data-stores on the device. Filesystems are simple to access. A malevolent user or virus should be expected to investigate sensitive data repositories. Any encryption safeguards are bypassed when a mobile device is rooted or jailbroken. When data is not securely secured, only specialist tools are required to examine application data.
In the best-case scenario, insecure data storage can result in data loss for just one user. In the worst-case scenario, for a large number of users. The following are examples of useful data that is commonly stored:
- Usernames
- Authentication tokens
- Passwords
- Cookies
- Location data
- UDID/EMEI, Device Name, Network Connection Name
- Personal Information: DoB, Address, Social, Credit Card Data
- Application Data:
- Stored application logs e.g For an android Apps ADB logcat
- Debug information
- Cached application messages
- Transaction histories
In most cases, insecure data storage vulnerabilities result in the following commercial risks for the enterprise that owns the risk app:
- Identity Theft
- Fraud
- Reputation Damage
- External Policy Violation (PCI)
- or Material Loss.
ZOFIXER advises inspecting your platform’s data security APIs and ensuring that you’re calling them correctly.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.