The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Recommendation
Sensitive data should not be stored in local app files without the right protection level and unencrypted. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data. Review the data protection level(s) set on the file(s) listed here and ensure that they are either NSFileProtectionComplete for complete protection or NSFileProtectionCompleteUntilFirstUserAuthentication to be protected until the user first authenticates to the device. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files
The context table below gives the location on the device that the specified information was stored insecurely.
Summary
The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Recommendation
Sensitive data should not be stored in local app files without the right protection level and unencrypted. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data. Review the data protection level(s) set on the file(s) listed here and ensure that they are either
NSFileProtectionCompletefor complete protection orNSFileProtectionCompleteUntilFirstUserAuthenticationto be protected until the user first authenticates to the device. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_filesThe context table below gives the location on the device that the specified information was stored insecurely.
Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report