edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure static analysis: Hardcoded Keys Potentially Found In Application Binary #5

Closed edwindwalker closed 9 months ago

edwindwalker commented 3 years ago

Finding Description

The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. In the case of the data shown in the finding, the password should be treated as high value data and especially damaging if leaked. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.

Steps to Reproduce

Static analysis of the compiled binary determines locations where data that could be secure keys are located.

Business Impact

The app is storing the user's password on the device insecurely. Anyone with access to the device would have access to the information.

Remediation Resources

Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.

If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.

The context table below gives the location on the device that the specified information was stored insecurely.

Risk and Regulatory Information

Severity: medium CVSS: 4.4

Application

See more detail in the NowSecure Report