WEBSITEGITHUBLINKDININSTAGRAM

Insufficient Binary Protections

M9: Insecure Data Storage is a category that covers various types of flaws that allow attackers to access or steal the data that are stored by mobile applications on the device or the cloud. Data storage is the process of saving or keeping data for future use or reference. For example, when you use a shopping app to buy something online, you might want to store your personal information, such as your name, address, phone number, etc.

Insecure data storage can happen when mobile applications do not protect or encrypt the data that they store on the device or the cloud. For example, some common flaws are:

  • Unprotected data storage: Some applications store data on the device in an unprotected way. They might store data in plain text or clear text, in unencrypted files or databases, in unprotected folders or directories, in shared preferences or caches, etc. For example, an app that stores your notes might store them in plain text in a file on your device.

  • Unsecured data backup: Some applications backup data on the cloud in an unsecured way. They might backup data without encryption, without authentication, without authorization, without consent, etc. For example, an app that backs up your photos might backup them on a cloud service without encrypting them or asking for your permission.

  • Unintended data leakage: Some applications leak data to other apps or systems that are not authorized or trusted. They might leak data through insecure communication channels (such as HTTP or SMS), through insecure APIs or endpoints (such as undocumented ones), through insecure libraries or frameworks (such as outdated versions), etc. For example, an app that uses a third-party service to send push notifications might leak your device ID and token to the service without informing you.

These flaws can lead to serious consequences, such as data breach, identity theft, fraud, blackmail, harassment, discrimination, etc. Therefore, it is very important for mobile applications to implement and enforce secure data storage mechanisms, such as:

  • Data encryption: Applications should encrypt the data that they store on the device or the cloud using secure and up-to-date encryption algorithms (such as AES or SHA) and keys (such as 256-bit or 512-bit). For example, an app that stores your notes should encrypt them using AES-256 and store them in a secure database on your device.

  • Data protection: Applications should protect the data from unauthorized access or use by other apps or systems using proper access control mechanisms (such as authentication or authorization), proper data retention policies (such as deletion or anonymization), proper data sharing policies (such as consent or disclosure), etc. For example, an app that backs up your photos should ask for your permission and inform you before backing up them on a cloud service.

  • Data isolation: Applications should isolate the data from other apps or systems that are not relevant or necessary for their functionality. They should use sandboxing techniques (such as Android’s Application Sandbox) to restrict the access of other apps to their data, they should use secure communication protocols (such as HTTPS or TLS) to prevent the interception of their data by other systems, they should use secure libraries or frameworks (such as OkHttp or Retrofit) to prevent the leakage of their data to other services, etc. For example, an app that uses a third-party service to send push notifications should use HTTPS to send your device ID and token to the service.

I hope this explanation helps you understand what M9: Insecure Data Storage is and why it is important. If you want to learn more about this category and how to prevent it, you can check out these resources:

  • [M9-Insecure Data Storage | OWASP Foundation]: The official website of the OWASP Mobile Top 10 project. It contains detailed information about this category and links to other useful resources.

  • [Mobile App Security: How To Secure Your Mobile App Data Storage]: A blog post that provides an overview of the best practices for mobile app data storage security.

  • [Mobile App Security Testing | Cybrary]: A course that teaches you how to test and secure mobile applications against various security risks./

PreviousInsecure Data StorageNext"Let's Dive into the Theory"

Last updated