Difference between revisions of "Mobile Top 10 2012-M1 Insecure Data Storage"

Revision as of 20:19, 23 January 2013

Threat Agents	Attack Vectors	Security Weakness		Technical Impacts	Business Impacts
Application Specific	Exploitability EASY	Prevalence COMMON	Detectability EASY	Impact SEVERE	Application / Business Specific
Threats Agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device.	A malicious agent hooks up an unprotected device to a computer with commonly available software. They are able to see all third party application directories that often contain stored personal information.	M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system ans store sensitive pieces of information in data-stores on the phone. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools.		Insecure data storage can result in data loss, in the best case, for one user. In the worst case, for many users. Common valuable pieces of data seen stored include: Usernames Authentication tokens Passwords Cookies Location data UDID/EMEI, Device Name, Network Connection Name Personal Information: DoB, Address, Social, Credit Card Data Application Data: Stored application logs Debug information Cached application messages Transaction histories	Insert text here

Am I Vulnerable To Insecure Data Storage?

@@ Line 7: / Line 7: @@
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threats Agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device. </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> A malicious agent hooks up an unprotected device to a computer with commonly available software. They are able to see all third party application directories that often contain stored personal information. </td>
-      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools. </td>
+      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system ans store sensitive pieces of information in data-stores on the phone. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools. </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Insecure data storage can result in data loss, in the best case, for one user. In the worst case, for many users. Common valuable pieces of data seen stored include:
 * Usernames

Difference between revisions of "Mobile Top 10 2012-M1 Insecure Data Storage"

Revision as of 20:19, 23 January 2013

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools