Insecure Data Storage

2 min read Advanced Security Topics

Insecure Data Storage

One of the most critical vulnerabilities in mobile applications is insecure data storage. Mobile devices are easily lost or stolen, making proper data protection essential. Despite this risk, many applications store sensitive information in plaintext or easily accessible locations.

How Insecure Storage Occurs:

Developers often make incorrect assumptions about the security of mobile file systems. Common mistakes include:

  • Storing passwords or API keys in SharedPreferences (Android) or NSUserDefaults (iOS)
  • Saving sensitive data in plaintext files within the application sandbox
  • Using SQLite databases without encryption for confidential information
  • Caching sensitive data in temporary files that persist after use
  • Logging sensitive information that remains in system logs

Real-World Example: In 2019, multiple banking applications were found storing user credentials in plaintext within their application directories. Attackers with physical access to devices could extract these credentials without any specialized tools, leading to potential account compromises affecting millions of users.

Prevention Strategies:

// iOS - Secure storage using Keychain
import Security

func saveToKeychain(password: String, account: String) {
    let data = password.data(using: .utf8)!
    
    let query: [String: Any] = [
        kSecClass as String: kSecClassInternetPassword,
        kSecAttrAccount as String: account,
        kSecValueData as String: data,
        kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
    ]
    
    SecItemAdd(query as CFDictionary, nil)
}

// Android - Secure storage using EncryptedSharedPreferences
import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKeys

fun saveSecureData(context: Context, key: String, value: String) {
    val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
    
    val sharedPreferences = EncryptedSharedPreferences.create(
        "secure_prefs",
        masterKeyAlias,
        context,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )
    
    sharedPreferences.edit().putString(key, value).apply()
}