This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Mobile Top 10 2012-M1 Insecure Data Storage"

From OWASP
Jump to: navigation, search
Line 7: Line 7:
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threats Agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device. </td>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threats Agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device. </td>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> A malicious agent hooks up an unprotected device to a computer with commonly available software. They are able to see all third party application directories that often contain stored personal information. </td>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> A malicious agent hooks up an unprotected device to a computer with commonly available software. They are able to see all third party application directories that often contain stored personal information. </td>
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system ans store sensitive pieces of information in data-stores on the phone. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools. </td>
+
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system and store sensitive pieces of information in data-stores on the phone. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools. </td>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Insecure data storage can result in data loss, in the best case, for one user. In the worst case, for many users. Common valuable pieces of data seen stored include:  
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Insecure data storage can result in data loss, in the best case, for one user. In the worst case, for many users. Common valuable pieces of data seen stored include:  
 
* Usernames
 
* Usernames

Revision as of 20:20, 23 January 2013

Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Threats Agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device. A malicious agent hooks up an unprotected device to a computer with commonly available software. They are able to see all third party application directories that often contain stored personal information. M1, insecure data storage, occurs when development teams assume that users will not have access to the phones file system and store sensitive pieces of information in data-stores on the phone. Devices file systems are often accessible easily and you should expect a malicious user to be inspecting your data stores. Rooting or jailbreaking a device usually circumvents any encryption protections and in some cases, where data is not protected properly, all that is needed to view application data is to hook the phone up to a computer and use some specialized tools. Insecure data storage can result in data loss, in the best case, for one user. In the worst case, for many users. Common valuable pieces of data seen stored include:
  • Usernames
  • Authentication tokens
  • Passwords
  • Cookies
  • Location data
  • UDID/EMEI, Device Name, Network Connection Name
  • Personal Information: DoB, Address, Social, Credit Card Data
  • Application Data:
    • Stored application logs
    • Debug information
    • Cached application messages
    • Transaction histories
Insert text here

Am I Vulnerable To Insecure Data Storage?