In our previous article, we explored how cloud misconfigurations and poor cryptographic practices in mobile apps can expose enterprise data. However, the risks don't stop there. Our research has uncovered equally concerning issues with how mobile apps handle data locally on devices and transmit information to remote servers.
The stakes in mobile security continue to rise. With over 1.7 billion individuals having their personal data compromised in 2024 alone, and financial losses reaching 280 billion dollars, organizations can't afford to overlook any aspect of mobile app security. This article explores how common app behaviors around data storage and transmission create significant risks for enterprises.
Our analysis of 54,648 work apps revealed alarming patterns in how mobile applications handle sensitive data on devices. These findings highlight the risks that exist even in apps from official stores:
Our analysis found that 6% of the top 100 Android apps write Personally Identifiable Information (PII) to the console log. This practice makes sensitive data accessible to other apps with logging permissions, creating an unnecessary exposure point for user data. Console logs are meant for debugging, not storing sensitive information, yet many developers fail to remove or properly secure these logging statements in production releases.
From the apps analysed, 4% of the top 100 Android Apps write PII to external data storage where it can be accessed by other applications or easily extracted if a device is compromised. External storage is by default accessible by all apps, intended for extending the devices memory and allowing apps to share information, but this sharing capability becomes a liability when sensitive information is involved.
Perhaps most concerning, 91% of all Android apps write PII to local data storage. Even though the local storage is not shared between apps, the data is there should an attacker obtain access to the device. While this issue is less prevalent in iOS, it still appears in some apps, creating significant privacy and security concerns. This data often includes:
Figure 1. An app writing user’s sensitive data to the external storage or the console log is making the data readily available to other potentially malicious apps. Writing to local storage does bring an extra layer of protection, but the data could still be accessed by an attacker.
Our research found that 31% of all apps and 37% of the top 100 apps send PII to remote servers, often without adequate encryption. This data transmission occurs in the background, and users typically have no visibility into what information is being sent or where it's going.
Even more concerning, we identified several apps, including one Android app in the top 50 (which we covered in a previous blog post), that can secretly exfiltrate user data to remote servers. The mechanisms we discovered include 3 SDKs with the following capabilities:
The combination of poor local storage practices and unsafe data transmission creates perfect conditions for data breaches. Our analysis found that 62% of the top 100 Android apps have some kind of breach vulnerability which amplifies the possibility of an attack resulting in a data breach. Among the ones we found:
Figure 2. An Android app with improperly set content provider permissions could be broadcasting user’s sensitive data to malicious apps which would then exfiltrate it.
To minimize the risk of suffering from a data breach from these vulnerabilities, you ought to defend in the following ways:
Don't let your enterprise data become another statistic. Take action today and ensure that you are protected against app related risks.