The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Recommendation
Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Summary
The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Recommendation
Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report