This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
1 of 17
Downloaded 113 times
More Related Content
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
1. Mobile Top 10 2014-M2
Insecure Data Storage
by
Anant Shrivastava
2. About Me
Anant Shrivastava
http://anantshri.info
Independent Information Security Consultant
Interest Areas : Web, Mobile, Linux
Project Lead
Android Tamer
Live ISO environment for Android Security. Used by multiple professionals and
trainers across the globe.
CodeVigilant
A initiative to find flaws in opensource softwares. Holds 160+ responsibly
disclosed web vulnerabilities at this point in time.
3. Agenda
Understand Insecure Data Storage
Effects on overall Security
Examples of Insecure Data Storage
How to Find Insecure Data Storage
How to prevent it
4. Understand mobile Storage
Android
/data/data/<app>
Application specific data section, only application has access. Root has
access to this partition also
/sdcard/
External memory generally FAT32 hence no ACL applies. Data can be
read by all applications and externally read by card reader.
IOS
<Application_Home>/Documents/ : Accessible only to app and
root user.
No Sdcard for iOS devices
5. Insecure Data Storage
It occurs when development teams assume that users
or malware will not have access to a mobile device's
filesystem.
And sensitive information such as PII(Personally
Identifiable Information) is stored in the data-stores on
the device in insecure format.
Insecure format
Plain text
Reversable trivial encoding (double ROT-13 or ROT-n,
base64/32/128 etc)
6. Effect of Insecure Data Storage
This could lead to
Identity Theft
Fraud
Reputation Damage
External Policy Violation (PCI)
or Material Loss.
12. How to find
Data storage in mobile is generally in following
formats
XML
Plist
SQLite
Plain text config files
Log Files
Cookies in webview
13. How to Find?
Android Apps
Install the app
Configure and run it for some time
Extract the /data/data/<app_name>
Also before installing and after installing
application observe change in /sdcard also
Identify files and content
14. Mitigation
dont store data unless absolutely necessary
Never store credentials on the phone file system
Force the user to authenticate using a standard web or API
login scheme (over HTTPS) to the application upon each
opening and ensure session timeouts are set at the bare
minimum to meet the user experience requirements.
For databases consider using SQLcipher for Sqlite data
encryption
Be aware that all data/entities using NSManagedObects
will be stored in an unencrypted database file.
15. Mitigation
Ensure any shared preferences properties are NOT
MODE_WORLD_READABLE unless explicitly
required for information sharing between apps.
Ensure SDCARD storage is not used for PII or
sensitive information of any sorts
Avoid using NSUserDefaults to store senstitve
pieces of information
Apple or android keychains can be used but once
jailbroken or rooted it can be easily read.