M9: Insecure Data Storage

Insecure data storage exposes sensitive information on the device or supporting services. Attackers with physical or malware access can retrieve cached credentials, payment data, or personal content if it is stored without strong protections. Mobile devices are frequently lost, stolen, or rooted, amplifying the risk.

Typical Weakness Patterns

  • Storing secrets in plaintext within shared preferences, plist files, SQLite databases, or local caches.
  • Relying solely on client-side encryption keys stored alongside the ciphertext.
  • Backing up sensitive files to cloud services or unprotected directories that other apps can read.
  • Logging sensitive payloads (PII, tokens, health data) to local files for debugging.

Detection Cues

  • Forensic review of device storage (using adb, iTunes backups, or mobile forensic suites) to identify unencrypted data.
  • Static analysis that flags usage of insecure storage APIs or missing hardware-backed key protection.
  • Automated tests that inspect backup artefacts to verify that sensitive data is excluded or encrypted.

Mitigation

  • Store only the minimum data needed on-device and enforce short retention periods.
  • Use platform-provided secure storage (Android Keystore, iOS Keychain with Secure Enclave) and bind keys to user authentication factors.
  • Mark sensitive files as no_backup/do not backup and isolate them within app-private directories.
  • Obfuscate logs, disable verbose logging in production, and scrub memory buffers when data is no longer required.