Insecure Data Storage

Insecure data storage in mobile applications creates opportunities attackers to exploit vulnerabilities and gain unauthorised access to sensitive information.

Remediation

Ensure all sensitive data is stored using strong encryption algorithms such as AES-256. Avoid storing plaintext data.
Implement secure key management practices. Use platform-provided key storage mechanisms, like the Android Keystore or iOS Keychain, to store encryption keys securely.
Minimise the storage of sensitive information on the device unless absolutely necessary. Instead, store such data on secure, remote servers and retrieve it as needed.
Use secure tokens for session management and avoid storing sensitive session data on the device.
Disable caching of sensitive information in application memory or system logs. Configure views to avoid screenshots or snapshots.

Metadata

Severity: low
Slug: insecure-data-storage

OWASP

M9:2024: Insecure Data Storage

Available Labs

Open Java labs in SecDim Play for this vulnerability.

trivial

SharedPrefs.android

Java Trivial Android

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.