External Storage Exposure

Description

Saving sensitive files to external/shared storage (e.g., /sdcard) exposes them to other apps and to users connecting the device over USB. External storage lacks per‑app isolation.

Examples

Pull Data From External Storage

adb shell ls -l /sdcard/Android/data/com.example.app/files
adb pull /sdcard/Android/data/com.example.app/files/backup.json .

If files contain tokens/PII, they are exposed beyond the app sandbox.

Remediation

1. Prefer internal storage
   • Use app‑private directories; avoid external storage for sensitive content.
2. Encrypt at rest
   • If external storage is required, encrypt files with keys from Keystore and include integrity checks.
3. Lifecycle hygiene
   • Wipe temporary/cache files and revoke access promptly.