The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
After exercising the app, local application files and external storage locations were inspected for sensitive data. For this check, instances of the WiFi IP Address were searched for.
Business Impact
The app is storing the user's network location on the device insecurely. Anyone with access to the device would have access to the information. This could potentially be used to track a users location.
Remediation Resources
Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM - which gets cleared when the app is closed - or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Finding Description
The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
After exercising the app, local application files and external storage locations were inspected for sensitive data. For this check, instances of the WiFi IP Address were searched for.
Business Impact
The app is storing the user's network location on the device insecurely. Anyone with access to the device would have access to the information. This could potentially be used to track a users location.
Remediation Resources
Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM - which gets cleared when the app is closed - or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report