The Last Name specified in the Findings Evidence table has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or if the device is rooted.
Data backup utilities are often able to export local files and, if not encrypted, can be accessed by an attacker in possession of the backup file(s). While malware is also a concern, it is less common than attacks concerning physical device access.
If sensitive data is exposed, the data can be used by an adversary to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
Using a rooted android device or emulator, data can be extracted and examined from the file paths described in the findings evidence table. The data extraction can be performed using the Android Debug Bridge, or Android Studio's Device File Explorer: https://developer.android.com/studio/debug/device-file-explorer.
NowSecure's automated testing for this finding checks local application files and storage locations for sensitive data after the app is exercised.
Business Impact
The app is storing Last Name insecurely in local app files. If these local files are not protected by sufficient data protection levels or the device is rooted, anyone with access to the device could gain access to this information. The sensitive information could be used by an attacker to gain unauthorized access to information or services as well as be used to conduct follow-on attacks.
Remediation Resources
Recommended Fix
In cases where the storage of sensitive data is necessary, ensure that the confidentiality of these values is protected by the use of encryption best practices. For guidance on using Android platform encryption, please see the following resource: https://developer.android.com/topic/security/data
In some cases, data may be unnecessarily or unknowingly stored and not be protected by appropriate cryptographic algorithms. In these cases, take care to avoid the storage and caching of data which may require clearing application file caches. Android garbage collection should be triggered programmatically after uses of functionality that require file caching.
Code Samples
Good Code Example (.java)
String masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC);
File file = new File(context.getFilesDir(), get_currently_logged_in_username());
EncryptedFile encryptedFile = EncryptedFile.Builder(
file,
context,
masterKeyAlias,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();
// write to the encrypted file
FileOutputStream encryptedOutputStream = encryptedFile.openFileOutput();
// read the encrypted file
FileInputStream encryptedInputStream = encryptedFile.openFileInput();
Finding Description
The Last Name specified in the Findings Evidence table has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or if the device is rooted. Data backup utilities are often able to export local files and, if not encrypted, can be accessed by an attacker in possession of the backup file(s). While malware is also a concern, it is less common than attacks concerning physical device access. If sensitive data is exposed, the data can be used by an adversary to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
Using a rooted android device or emulator, data can be extracted and examined from the file paths described in the findings evidence table. The data extraction can be performed using the Android Debug Bridge, or Android Studio's Device File Explorer: https://developer.android.com/studio/debug/device-file-explorer. NowSecure's automated testing for this finding checks local application files and storage locations for sensitive data after the app is exercised.
Business Impact
The app is storing Last Name insecurely in local app files. If these local files are not protected by sufficient data protection levels or the device is rooted, anyone with access to the device could gain access to this information. The sensitive information could be used by an attacker to gain unauthorized access to information or services as well as be used to conduct follow-on attacks.
Remediation Resources
Recommended Fix
In cases where the storage of sensitive data is necessary, ensure that the confidentiality of these values is protected by the use of encryption best practices. For guidance on using Android platform encryption, please see the following resource: https://developer.android.com/topic/security/data In some cases, data may be unnecessarily or unknowingly stored and not be protected by appropriate cryptographic algorithms. In these cases, take care to avoid the storage and caching of data which may require clearing application file caches. Android garbage collection should be triggered programmatically after uses of functionality that require file caching.
Code Samples
Good Code Example (.java)
Additional Guidance
Risk and Regulatory Information
Severity: low
CVSS: 2.3
Policy Category: Needs Remediation
Application
See more detail in the NowSecure Report
Evidence
| Search Term | Encoding | File Name(s) | Locations(s) | |---|---|---|---| | lastname | utf8 | CQx7DxL6RCqoKM-82pUnHQ_analytics-wal | /data/data/com.accuweather.android/no_backup/CQx7DxL6RCqoKM-82pUnHQ_analytics-wal | | lastname | utf8 | report | /data/data/com.accuweather.android/files/.com.google.firebase.crashlytics.files.v2:com.accuweather.android/open-sessions/6707A1E9006B00013113016797121B3C/report | | lastname | utf8 | CQx7DxL6RCqoKM-82pUnHQ_ua_preferences.db-wal | /data/data/com.accuweather.android/no_backup/com.urbanairship.databases/CQx7DxL6RCqoKM-82pUnHQ_ua_preferences.db-wal | ... and 196 more