edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure dynamic analysis: Username Stored Insecurely On Device #16

Closed edwindwalker closed 9 months ago

edwindwalker commented 3 years ago

Finding Description

The username specified in the Findings Evidence table has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or if the device is rooted. Data backup utilities are often able to export local files and, if not encrypted, can be accessed by an attacker in possession of the backup file(s). While malware is also a concern, it is less common than attacks concerning physical device access. If sensitive data is exposed, the data can be used by an adversary to track and phish users, access their account, or circumvent protections within the app.

Steps to Reproduce

Using a rooted android device or emulator, data can be extracted and examined from the file paths described in the findings evidence table. The data extraction can be performed using the Android Debug Bridge, or Android Studio's Device File Explorer: https://developer.android.com/studio/debug/device-file-explorer. NowSecure's automated testing for this finding checks local application files and storage locations for sensitive data after the app is exercised.

Business Impact

The app is storing username insecurely in local app files. If these local files are not protected by sufficient data protection levels or the device is rooted, anyone with access to the device could gain access to this information. The sensitive information could be used by an attacker to gain unauthorized access to information or services as well as be used to conduct follow-on attacks.

Remediation Resources

Recommended Fix

In cases where the storage of sensitive data is necessary, ensure that the confidentiality of these values is protected by the use of encryption best practices. For guidance on using Android platform encryption, please see the following resource: https://developer.android.com/topic/security/data In some cases, data may be unnecessarily or unknowingly stored and not be protected by appropriate cryptographic algorithms. In these cases, take care to avoid the storage and caching of data which may require clearing application file caches. Android garbage collection should be triggered programmatically after uses of functionality that require file caching.

Code Samples

Good Code Sample (.java)

String masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC);

File file = new File(context.getFilesDir(), get_currently_logged_in_username());
EncryptedFile encryptedFile = EncryptedFile.Builder(
file,
context,
masterKeyAlias,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();

// write to the encrypted file
FileOutputStream encryptedOutputStream = encryptedFile.openFileOutput();

// read the encrypted file
FileInputStream encryptedInputStream = encryptedFile.openFileInput();

Additional Guidance

Risk and Regulatory Information

Severity: low CVSS: 2.3

Application

See more detail in the NowSecure Report