The ZIP Code specified in the Findings Evidence table has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or if the device is rooted. Data backup utilities are often able to export local files and, if not encrypted, can be accessed by an attacker in possession of the backup file(s). While malware is also a concern, it is less common than attacks concerning physical device access.
If sensitive data is exposed, the data can be used by an adversary to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
Using a jailbroken iOS device, data can be extracted and analyzed from the file paths mentioned in the Findings Evidence table. The extraction can be performed using SSH or other file transfer protocols. These will need to be installed through the jailbreak APT (Cydia or Sileo). Another option is to use the simulator tool that is included with Xcode to extract data from the file storage container.
NowSecure's automated testing for this finding examines local application files and storage locations for sensitive data after the app is exercised.
Business Impact
The app is storing a ZIP Code insecurely in local app files. If these local files are not protected by sufficient data protection levels or the device is rooted, anyone with access to the device could gain access to this information. The sensitive information could be used by an attacker to gain unauthorized access to information or services as well as be used to conduct follow-on attacks.
Remediation Resources
Recommended Fix
Sensitive data should not be stored unencrypted in local app files and without the right data protection level. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data.
Review the data protection level(s) set on the file(s) listed in the Findings Evidence section and ensure that they are either NSFileProtectionComplete for complete protection or NSFileProtectionCompleteUntilFirstUserAuthentication to be protected until the user first authenticates to the device.
Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files.
In addition to applying security controls like encryption, it may be necessary to evaluate for uses of cache data, as they may be required to be cleared programmatically. The Findings Evidence table gives the location for the specified sensitive information that was stored insecurely on the device.
Code Samples
Good Code Sample (.swift)
let str = get_currently_logged_in_username()
let filename = getDocumentsDirectory().appendingPathComponent(("output.txt"))
//for first write
do {
try str.write(to:filename , options: .completeFileProtection)
}
catch {
// Handle errors.
}
//for existing file
do {
try (filename as NSURL).setResourceValue(
URLFileProtection.complete,
forKey: .fileProtectionKey)
}
catch {
// Handle errors.
}
Finding Description
The ZIP Code specified in the Findings Evidence table has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or if the device is rooted. Data backup utilities are often able to export local files and, if not encrypted, can be accessed by an attacker in possession of the backup file(s). While malware is also a concern, it is less common than attacks concerning physical device access. If sensitive data is exposed, the data can be used by an adversary to track and phish users, access their account, or circumvent protections within the app.
Steps to Reproduce
Using a jailbroken iOS device, data can be extracted and analyzed from the file paths mentioned in the Findings Evidence table. The extraction can be performed using SSH or other file transfer protocols. These will need to be installed through the jailbreak APT (Cydia or Sileo). Another option is to use the simulator tool that is included with Xcode to extract data from the file storage container. NowSecure's automated testing for this finding examines local application files and storage locations for sensitive data after the app is exercised.
Business Impact
The app is storing a ZIP Code insecurely in local app files. If these local files are not protected by sufficient data protection levels or the device is rooted, anyone with access to the device could gain access to this information. The sensitive information could be used by an attacker to gain unauthorized access to information or services as well as be used to conduct follow-on attacks.
Remediation Resources
Recommended Fix
Sensitive data should not be stored unencrypted in local app files and without the right data protection level. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data. Review the data protection level(s) set on the file(s) listed in the Findings Evidence section and ensure that they are either
NSFileProtectionComplete
for complete protection orNSFileProtectionCompleteUntilFirstUserAuthentication
to be protected until the user first authenticates to the device. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files. In addition to applying security controls like encryption, it may be necessary to evaluate for uses of cache data, as they may be required to be cleared programmatically. The Findings Evidence table gives the location for the specified sensitive information that was stored insecurely on the device.Code Samples
Good Code Sample (.swift)
Additional Guidance
Risk and Regulatory Information
Severity: low CVSS: 2.3
Application
See more detail in the NowSecure Report