Insecure Data Storage – What your phone might be saying about you.

Is your data safe?You’ve picked up the latest greatest model of your favorite iPhone ™, Android ™  or Windows ™  phone with all of the latest features. You’ve set the screen lock with a good PIN (not 5555 like the last time). Now your data is secure and you have nothing to worry about, right? Well, let’s think about that.

 

Most mobile applications store some sort of data on your phone. But what kind of data is it storing? And how safe is that data if your phone is stolen? All platforms have the capability to store data securely. Some such as Apple’s iOS ™  provide security as part of the base platform while others such as Android require the application to protect sensitive data (such as login credentials or account numbers) by encrypting it. Each approach has its own merits and drawbacks, but more importantly:

  • The protection only works if the application developer makes use of it. There is no guarantee that the application is handling some date safely but letting other data in the open.

  • Even if all sensitive data is protected, it can always be compromised given the opportunity and the right tools.

A better solution is just not to store any sensitive data other than the absolute minimum, which usually means login credentials. Of course, you can’t tell just by looking at the description of an application that this is the case. Ever see a download page for an app that says

   “CAUTION: This app stores your personal information without providing any protection”?

 

Some of you may know that one way of storing data on a mobile app is in a database. This has been one of the most common and efficient forms of data storage since long before mobile applications and is a powerful tool for developing robust mobile applications. Most platforms are using a version of a cross-platform database known as SQLite. Storing data in a database is generally viewed as more secure than just writing it to a file, but in reality, unless the database is encrypted, it’s just about as easy to extract everything from the database as it is from an ordinary text file. And just as with files, you as a consumer have no way of knowing what steps your application has taken to ensure this doesn’t happen. And by the way, one of the most common vulnerabilities in web-based applications, SQL Injection, can be used on mobile app databases.

 

But application data storage isn’t the only culprit. Mobile applications do many of the same things that any other application does. One of the most common of these activities is writing to a log file. Log files allow us (or support staff) to look at why you are having trouble getting that app do what it is written to do. These logs often record things like login errors, problems connecting to the server, or problems with the application itself. When it comes to figuring out why an application isn’t working correctly, more information is better. And that’s exactly how most developers think. The more information the app writes to a log, the easier it will be to diagnose the problem. What could go wrong, right? But what if that information includes things like your login id, or heaven forbid, your password? What if the app had trouble logging in to the server using your account number? It’s easy to see why this is not a good idea – if a hacker gets access to your log files there is no end to the information they may have access to.

 

One last thing to think about before you try to fall asleep tonight. When we think of protecting sensitive information most of us think about credit card numbers, account numbers, and login credentials. While those may be the “holy grail” to a hacker there are other ways to compromise a user's privacy. Beware of secondary information or metadata stored in an insecure format. For example, almost everyone takes pictures with their phone. We don’t typically worry about someone getting hold of a picture of us standing under a tree in the back yard, but many of those pictures carry along information known as metadata when was the picture taken, at what location? Given access to your photo gallery a hacker can find out where you live, when you typically leave to go to the office, even those weekend trips to your secret getaway.

 

Remember, while many mobile applications are becoming very secure and very good at protecting your sensitive data, a great many applications are deployed without the benefit of a mature software development process. So whether you are developing mobile applications or just using them, if it hasn’t been 'Fortify-ed' you don’t know what you're getting – or what someone might be getting from you!

 

Learn more about HP Fortify here:  Watch the video at Pronq

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation