Part 2: Local Storage, Data Transmission and other vulnerabilities
In our previous article, we explored how cloud misconfigurations and poor cryptographic practices in mobile apps can expose enterprise data. However, the risks don't stop there. Our research has uncovered equally concerning issues with how mobile apps handle data locally on devices and transmit information to remote servers.
The stakes in mobile security continue to rise. With over 1.7 billion individuals having their personal data compromised in 2024 alone, and financial losses reaching 280 billion dollars, organizations can't afford to overlook any aspect of mobile app security. This article explores how common app behaviors around data storage and transmission create significant risks for enterprises.
The Hidden Dangers of Local Data Storage
Our analysis of 54,648 work apps revealed alarming patterns in how mobile applications handle sensitive data on devices. These findings highlight the risks that exist even in apps from official stores:
Console Logging: A Window to Your Data
Our analysis found that 6% of the top 100 Android apps write Personally Identifiable Information (PII) to the console log. This practice makes sensitive data accessible to other apps with logging permissions, creating an unnecessary exposure point for user data. Console logs are meant for debugging, not storing sensitive information, yet many developers fail to remove or properly secure these logging statements in production releases.
External Storage Vulnerabilities
From the apps analysed, 4% of the top 100 Android Apps write PII to external data storage where it can be accessed by other applications or easily extracted if a device is compromised. External storage is by default accessible by all apps, intended for extending the devices memory and allowing apps to share information, but this sharing capability becomes a liability when sensitive information is involved.
Insecure Local Data Storage
Perhaps most concerning, 91% of all Android apps write PII to local data storage. Even though the local storage is not shared between apps, the data is there should an attacker obtain access to the device. While this issue is less prevalent in iOS, it still appears in some apps, creating significant privacy and security concerns. This data often includes:
- User credentials
- Authentication tokens
- Personal information
- Business-related data
Figure 1. An app writing user’s sensitive data to the external storage or the console log is making the data readily available to other potentially malicious apps. Writing to local storage does bring an extra layer of protection, but the data could still be accessed by an attacker.
Data Transmission: The Silent Data Leak
Sending data away.
Our research found that 31% of all apps and 37% of the top 100 apps send PII to remote servers, often without adequate encryption. This data transmission occurs in the background, and users typically have no visibility into what information is being sent or where it's going.
Secret Data Exfiltration
Even more concerning, we identified several apps, including one Android app in the top 50 (which we covered in a previous blog post), that can secretly exfiltrate user data to remote servers. The mechanisms we discovered include 3 SDKs with the following capabilities:
- SDK 1
- Downloads encrypted payloads at runtime
- Secretly exfiltrates privacy-related data
- Collects GPS data, device identifiers, and call logs
- Sends data to Chinese servers
- SDK 2
- Actively logs all URL requests
- Captures PII data
- Performs click fraud
- SDK 3
- Captures screenshots of user activities
- Records user taps and interactions
- Can capture usernames and passwords
- Sends data to remote servers without notification
- Legit tool when used for development, but a liability when in a production release.
Breach Vulnerabilities: The Perfect Storm
The combination of poor local storage practices and unsafe data transmission creates perfect conditions for data breaches. Our analysis found that 62% of the top 100 Android apps have some kind of breach vulnerability which amplifies the possibility of an attack resulting in a data breach. Among the ones we found:
Medium Severity Issues
- Keyboard action listeners that could be used for keylogging
- Clear text password exposure in user interfaces
High Severity Issues
- Implicit activity vulnerabilities that could allow attackers to obtain the contents of files to which an app has access. If this or other apps have been writing PII or other user information to local files, this could lead to a data breach.
- Content provider data permission issues that risk disclosing content to malicious apps on the same device. This is a mechanism built into android apps for apps to share data, but improperly set permissions could potentially broadcast user's data to a malicious app that then exfiltrates it.
Figure 2. An Android app with improperly set content provider permissions could be broadcasting user’s sensitive data to malicious apps which would then exfiltrate it.
Protect yourself!
To minimize the risk of suffering from a data breach from these vulnerabilities, you ought to defend in the following ways:
Local Storage Protection
- Identify apps writing sensitive data to unsafe locations
- Detect inappropriate logging practices
- Validate data storage encryption
Data Transmission Security
- Monitor data transmission patterns
- Identify unauthorized data collection
- Detect malicious SDKs and components
Breach Prevention
- Analyze app behaviors for potential vulnerabilities
- Validate permission implementations
- Ensure proper data handling practices
Don't let your enterprise data become another statistic. Take action today and ensure that you are protected against app related risks.
