The information specified has been found within external storage locations on the device. Data written to device storage can be accessed through several attack vectors. Data stored to the SD Card is not as protected as data stored inside the application's data container.
Steps to Reproduce
After exercising the app, files stored on the SD Card are analyzed and any instances where sensitive data is found are flagged.
Business Impact
The app is storing the username on the device insecurely.
Anyone with access to the device would have access to the information.
Remediation Resources
Do not store sensitive information on external storage at a minimum.
Sensitive data should be transmitted and displayed but not persisted to memory.
This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately.
See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Finding Description
The information specified has been found within external storage locations on the device. Data written to device storage can be accessed through several attack vectors. Data stored to the SD Card is not as protected as data stored inside the application's data container.
Steps to Reproduce
After exercising the app, files stored on the SD Card are analyzed and any instances where sensitive data is found are flagged.
Business Impact
The app is storing the username on the device insecurely. Anyone with access to the device would have access to the information.
Remediation Resources
Do not store sensitive information on external storage at a minimum. Sensitive data should be transmitted and displayed but not persisted to memory. This is typically achieved by storing sensitive data in RAM (clear at application close) or encrypting the data using strong encryption.
If sensitive data must be persisted on the device, it should be protected appropriately. See https://developer.android.com/topic/security/data for details and code snippets to implement these protections.
The context table below gives the location on the device that the specified information was stored insecurely.
Risk and Regulatory Information
Severity: medium CVSS: 6.1
Application
See more detail in the NowSecure Report