We already know what is the key to your mobile device security, right? We learned it well that keeping your sensitive data secured and safe, your private information out of the hands of the hackers and protecting your authentication tokens would be essential for your security.
Okay, that is the basic thing everyone should know. Now, we will learn more about the APIs Android offers for the local data storage. Also, we will discuss the best practices for using them.
All in all, it can be explained very easily. You have the public data which is available to everyone. It means that everyone can see it. Then you have the sensitive data and the personal data, which you want to keep private and of course, protected. The best choice would actually be to keep it out of the device storage, but we will talk about that a little bit later.
How to test the local storage for the sensitive data?
As we have already said the similar wisdom, the best would be to keep as little sensitive data as you can on your device’s storage. But, it is really not possible for all the data, and some must be stored. That is what we are going to discuss about here. How to do that properly!
The device itself can save the sensitive data in some different places, for example, on the external SD card or on the device. While you want to process some information about the sensitive data, you leave there your personal information, passwords and more. It is important to understand how exactly those things are the ones that are interesting to the attackers and vulnerable.
Let’s say an attacker identified some of that information and then later used it for example, for the social engineering purpose (it may happen if the PII has been disclosed) or account hijacking (where the session information, authentication tokens or something similar has been disclosed). Besides those examples we mentioned, it can also happen that the attacker can gather the information from the application which has the payment option and later uses those to attack and abuse.
It is the truth that storing the data is essential for numerous mobile apps. There are some apps, for example, which uses the data storage for keeping the track of the user’s settings or some provided data. They can be also stored persistently in several different ways. We will show you the list of the widely used Android’s storage techniques:
1.Shared Preferences.
2.SQLite Databases.
3.Realm Databases.
4.Internal Storage.
5.External Storage.
The first one, Shared Preferences, are used for permanently saving some small collections of the key-value pairs. Those are written to a plain-text XML file. They can be both readable or private.
The second storage technique is also called the Unencrypted. This is actually the SQL database engine which stores the data in the .db files. The most important you need to remember here is not to store the sensitive data in the unencrypted SQLite databases. Here, we also have the Encrypted version of this technique, which should be preferred for using while storing your sensitive data.
Let’s talk about the Realm Databases now. Those are the databases for Java. They are becoming more and more popular with years among the different developers. The content within the database can easily be encrypted here with a key which is stored in the configuration file.
The fourth place took the Internal Storage. The files you save here are containerized by the default. Those, in that case, cannot be accessed by the other apps which are also on the same device.
The final place took the External Storage. The last but not the least. Every device which is compatible with the Android supports this storage technique. It may be removable or internal, like SD card or non-removable. Here, the data will be stored easily in a clear text file in the external storage. It will happen once the activity has been called.
The Android KeyStore
This is the kind of the storage which supports relatively secured credential storage. It can provide the public APIs easily where you can store or use the app-private keys. After that happens, the app itself uses that public key with the purpose to create some new (public or private) key pair which will ensure you to encrypt the application secrets. Besides that, it can be also used for decrypting some secrets with the private key.
How can you protect the key which is stored in the Android KeyStore? You can easily do it with the user authentication. What is used for the authentication? I am pretty sure that you already know, but it is good to mention. Those are the user’s lock screen credentials. They may be patterns, passwords, fingerprints or PINs. We will now show you how you can use the stored keys in the two modes.
First one-when the users are authorized to use the keys for some limited period of time after the authentication. Here, all keys can be actually used as soon as the user himself/herself unlocks the device. It is also important to know that you can customize the authorization time for each key you want or need. Also, remember, if the secure lock screen is disabled, all of the stored keys will become permanently invalid.
Second mode-where the users are authorized to use some specific cryptographic operations. That operation is most of the times associated with just one key. The users request the separated authorizations for each of the operation that involves that key. You need to know that now the fingerprinting is the only way to request the authorization of that kind.
How to check the sensitive data disclosure through the user interface?
There are the numerous apps which require the users to enter some several kinds of the data in the purpose to register an account or even to make a payment (those are just examples made for your better understanding of the further text). Did you know that the sensitive data can here easily be exposed if the app doesn’t properly mask it? It can basically display it in the clear text. What can be done about that? Definitely enforcing the sensitive data masking. It can be done through the app’s activity with the purpose to prevent the mitigate risks and the disclosure (for example the shoulder surfing).
When you want to be sure that the app is really masking the sensitive user input, you should try to check the attribute which it has to contain. It stays in the definition of the EditText and looks like this- android : inputType=”textPassword”. In such a case, dots will be displayed in the text field and they will also prevent the app from leaking the password’s pins to their interface.
Static analysis local storage
If you want to store the information on the Android device, there are some different ways. But, I am sure that you have already known this. The first thing you should do here is to check several sources with a purpose to determine the kind of the storage that is used by the Android’s app. In that case, only, you will realize if the app’s processes the sensitive data in an insecure way.
First, check the AndroidManifest.xml for the read/write external permissions which are stored. It would look like this- uses-permission android:name=”android.permission.WRITE_EXTERNAL_STORAGE”.
Also, it would be preferable to check the source code too, to find the keywords and also the API calls which are used on that store data. We will now show you how those file permissions look.
-MODE_WORLD_READABLE OR MODE_WORLD_WRITABLE means that you should avoid using.
-MODE_WORLD_WRITEABLE AND MODE_WORLD_READABLE stand for the files where any application will be able to read from or even to write on the files.
Also, there is a content provider which offers the reading and writing permissions to some other apps and it also grants the dynamic permission the case-by-case basis. Those are the classes and functions that we will list you now:
-SharedPreferences-the class which stores the key-value pairs;
-FileOutPutStream-a class that is using the internal or the external storage;
-getExternal-actually the functions, which use the external storage only;
-getWritableDatabase-a function that returns a SQLiteDatabase for writing;
-getReadableDatabase-returning function which switch a SQLiteDatabase for reading;
-getCacheDir and also getExternalCacheDirs is the function which uses the cached files.
Also, you need to understand that the encryption must be always implemented by using the proven SDK functions.
What about the Dynamic Analysis? If you want to determine if the app is leaking any sensitive data information to the user’s interface, then you definitely need to run the app with the purpose to identify the components which will either show you such the information or it will take it as an input.
Let’s say the information is masked. What should you do in such a situation? You just need to understand that the app isn’t leaking the data to the user’s interface.
All in all, you must complete the following:
-to identify the development files and the backup files, also the old ones which actually shouldn’t be included with the production release.
-to determine if the SQLite databases are actually available and if they contain some of the sensitive information. They are stored in /data/data/<package-name>/databases.
-after that, checking the preferences which are stored as an XML file. You can find it in /data/data/<package-name>shared_prefs.
-checking the permissions of the file in the /data/data/<package-name>. Here, you need to execute the permissions (rwx).
-after you have done all of this, go to determine if the Realm database is available in the /data/data/<package-name>/files/. You will if it contains the sensitive information and also if it’s unencrypted.
-the lest step would be checking the external storage for the data. That’s it!
Android Auto-Backup Features
We will now discuss a bit about testing the backups for the sensitive data. Those auto-backup features usually include some copies of the data and also the settings for all the apps which were and are installed. It is very important for you to remember that you need to concern when the sensitive user data which is stored on the app is leaking.
Let’s see what are the options that Android supports for backup:
1.Stock Android. Basically, built-in USB back up facilities.
2.”Back Up My Data”. Provided by Google.
3.APIs developers backups: key or value back up and auto backup for the applications.
4.OEMs. They actually can provide the additional options.
The Cloud
It is very important to mention the Cloud in this lesson and to say something more about it. While using it, you must always know which are the files that are sent to the cloud (it may be for the example SharedPreferences), whether that file contains some sensitive information and is it that sensitive information (if it exists) encrypted before it was sent to the cloud itself.
That would be all from this lesson! I really hope that you have enjoyed and learned something new! I have so much to share, so, stay connected and follow the latest information from the best source from the web! Learn every day about the tech’s world and don’t let yourself to be caught in some dangerous situation because you didn’t know how to protect yourself and your sensitive data!