The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
After exercising the app, local application files and external storage locations were inspected for sensitive data. For this check, instances of the Zip Code were searched for.
Business Impact
The app is storing the user's zip code on the device insecurely in local app files. If a weak data protection level is set on the file and/or if the device is jailbroken, anyone with access to the device could potentially steal the user's zip code.
Remediation Resources
Sensitive data should not be stored in local app files without the right protection level and unencrypted. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data. Review the data protection level(s) set on the file(s) listed here and ensure that they are either NSFileProtectionComplete for complete protection or NSFileProtectionCompleteUntilFirstUserAuthentication to be protected until the user first authenticates to the device. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files
The context table below gives the location on the device that the specified information was stored insecurely.
Finding Description
The information specified has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or with a rooted/jailbroken device. Often, data backup utilities can also export local files with its backup and, if not encrypted, can be then accessed by an attacker. While malware is also a concern, it is less common than attacks concerning physical device access. If these values are exposed they can be used to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
After exercising the app, local application files and external storage locations were inspected for sensitive data. For this check, instances of the Zip Code were searched for.
Business Impact
The app is storing the user's zip code on the device insecurely in local app files. If a weak data protection level is set on the file and/or if the device is jailbroken, anyone with access to the device could potentially steal the user's zip code.
Remediation Resources
Sensitive data should not be stored in local app files without the right protection level and unencrypted. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data. Review the data protection level(s) set on the file(s) listed here and ensure that they are either
NSFileProtectionComplete
for complete protection orNSFileProtectionCompleteUntilFirstUserAuthentication
to be protected until the user first authenticates to the device. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_filesThe context table below gives the location on the device that the specified information was stored insecurely.
Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report