Difference between revisions of "Mobile Top 10 2012-M1 Insecure Data Storage"

From OWASP
Jump to: navigation, search
(Created page with "{{Top_10_2010:SummaryTableHeaderBeginTemplate}} {{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}} {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}...")
 

Revision as of 15:16, 23 January 2013

Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Threats Agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device. A malicious agent hooks up an unprotected device to a computer with commonly available software. They are able to see all third party application directories that often contain stored personal information. M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools. Insecure data storage can result in data loss, in the best case, for one user. In the worst case, for many users. Common valuable pieces of data seen stored include:
  • Usernames
  • Authentication tokens
  • Passwords
  • Cookies
  • Location data
  • UDID/EMEI, Device Name, Network Connection Name
  • Personal Information: DoB, Address, Social, Credit Card Data
  • Application Data:
    • Stored application logs
    • Debug information
    • Cached application messages
    • Transaction histories
Insert text here

Am I Vulnerable To Insecure Data Storage?