The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. In the case of the data shown in the finding, the password should be treated as high value data and especially damaging if leaked. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
Static analysis of the compiled binary determines locations where data that could be secure keys are located.
Business Impact
The app is storing the user's password on the device insecurely. Anyone with access to the device would have access to the information.
Remediation Resources
Sensitive data should be transmitted and displayed but not persisted to memory.
This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately.
See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Finding Description
The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. In the case of the data shown in the finding, the password should be treated as high value data and especially damaging if leaked. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
Static analysis of the compiled binary determines locations where data that could be secure keys are located.
Business Impact
The app is storing the user's password on the device insecurely. Anyone with access to the device would have access to the information.
Remediation Resources
Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Risk and Regulatory Information
Severity: medium CVSS: 4.4
Application
See more detail in the NowSecure Report