Introduction

We already touched on this topic a little in the first chapter M1.2016 but it is a bit more complicated then it seems at first. To gain something from this vulnerability thought is not very easy. The bad actor needs access to the device or needs to have an app installed that has access to the storage on the mobile device of the victim. This makes the attack vector a little bit more complicated but there is still a possibility of very big impact if the incorrectly stored data is sensitive information, partially due to the easy exploitability.

Untitled

Attack vector

When an attacker has physical access to the mobile device and they can unlock it, they can hook it up to a computer and read it out. If the attacker can't gain access though, they can craft an exploit app to read all the public data and send it to the attacker. An attacker can even modify existing apps to do this and hide their true intentions in an innocent app like flappy bird which will steal all the users public data in the background.

Security Weakness

It is very important that developers learn how to securely store data because if they do not learn and accidentally store sensitive data in an insecure location, a bad actor may have access to those files. Every developer and organisation should design their applications with security in mind and they should always assume a system is compromised. Since the filesystem is so easily accesible, we should also assume that the files can get compromised. Rooting or jailbreaking a mobile device circumvents any encryption protections, this means that a bad actor would need some simple specialised tools to read the files.

Impact

The impact can range from none too critical. It depends on the information that is stored insecurely. If the data has no impact than there is vulnerability but often there will be at least some kind of impact since developers usually store information which they will need later on. This information usually contains at least some useful information for bad actors.

Insecure data may result in the following business impacts:

• Identity theft; if personal information is stored incorrectly.
• Privacy violation; if personal information is stored incorrectly.
• Fraud; Personal data might get stolen such as credit card numbers.
• Reputation damage; both to the victim and the organisation.
• External policy violation (PCI); PCI compliance is a set of standards and guidelines for companies to manage and secure credit card related personal data.
• Material loss; An attacker may steal information allowing them to rob the victim.

Prevention

Developers need to be very aware that there are also background processes going on which can store personal data that they may not know about.

• Sometimes the OS caches data, images, key-presses, logging, and buffers. These can all contain personal or sensitive information.