Mobile devices continue to pick up steam on becoming the primary device that many people use for email, web browsing, social media and even shopping. As we continue installing app after app which we then put our personal information in to the question is how secure are these apps? This is the first blog in a series of Mobile App Security blogs which will discuss some of the common flaws that SecureState has encountered while performing assessments and through research. The goal of this series is to raise awareness of these issues as well as provide recommendations to developers and consumers on ways that that can remediate or mitigate the risk.
The first topic that we’ll cover is Insecure Data Storage and we’ll be focusing on discussing the Android platform. Mobile apps want us to enter information, whether that be credentials, our address or even what we’re about to have for dessert. These are then passed along to some web site/service which processes it or it is stored locally by the app. Everyday users have no idea what the app itself is actually doing with that data or how securely it is handling it. The permissions screen displayed when installing an app can be one possible indicator of what an app is doing, however these permissions are often overly vague or are just ignored by the consumer who just wants to get that hot new app installed that their friends are using.
Where are my files?
There are a number of different methods of storing data on Android devices. For storing data long term an app can either store it within its own app directory on the internal storage or it can store it externally on the SD card. One advantage of storing data on the SD card is that there is generally more space to do so. While writing to the SD card requires the WRITE_EXTERNAL_STORAGE Android permission for the app many people do not actually realize that *reading* data from the SD card does not actually require any permissions. So, any seemingly innocuous app without permissions can read any of your data which is stored on the SD card, though of course to actually do something meaningful with that would in fact also require the INTERNET permission or the ability to exploit another app which does have that permission. Any apps which choose to save data on the SD card are putting that data at risk for compromise.
One example of data that you would expect to find on the SD card are any pictures which have been snapped by the device. At a surface level those may seem fairly benign as many of those pictures often make their way on to social media to be intentionally shared; however there may also be family pictures, private events or even that secret formula you wanted to capture from the whiteboard at work that are intended to be private. Sometimes there are even *ahem* private pictures and the object said picture may never want to see the light of day. Plenty of celebrities with those leaked photos know the pain of the exposure of those images. Further, pictures that are shared via social media are generally stripped of extra information such as EXIF data which contain the coordinates of where the picture was taken. By obtaining raw access to these photos an attacker, or stalker, can discover precisely where these pictures were taken and track a person or object down.
Evernote Storage Example
Another example of data found during our own research was what is created by the popular Evernote app. If you’re unfamiliar with Evernote, it is an application that allows you to capture notes, documents, pictures, etc. which can then be accessed across any of your devices. After logging in to the Evernote app, it syncs down a copy of all of your notes, presumably so that they are fully accessible while offline, and saves them to the SD card. This is definitely a nice feature; however since Evernote uses the SD card all of your notes will be readable by any app. The structure of the Evernote directory contains a user-xxxxxxx directory which corresponds to the user’s id number. Underneath this directory is a notes directory broken up into a series of directories which upon drilling down in to reveals a directory with a GUID as the name. This directory contains the actual note data and we can see that the content.enml file within this directory contains an XML document which has the raw details of the note as seen in Figure 1. While best practices would dictate that users not store anything sensitive in Evernote without encryption, the reality is that most users will do it anyway.
What’s the fix?
Fixing this issue mostly relies with developers taking the proper precautions to secure data. With Jelly Bean, Google introduced the READ_EXTERNAL_STORAGEpermission which will be required for any app which wants to read any data from the SD card. The caveat is that while this permission exists it is still not actually enforced yet so this issue still persists for the time being. However, this does pave the way for enforcement in the future so at least users can be aware of what apps actually have access to data on external storage. One important note is that this still provides no granular breakdown in terms of permissions to the SD card so any app with this permission will still be able to access any piece of data regardless where it resides on the external card. Additionally, as mentioned earlier in regards to permissions, many users will still disregard the permissions screen while installing an app.
Additionally, using the internal storage of the app protects any other app from being able to directly access sensitive information stored in the app’s private files. To store data internally developers should use the openFileOutput method and pass it the MODE_PRIVATE flag to set the permissions appropriately. Files that are meant to be cached temporarily can also be stored with this method by passing along the result of the getCacheDir() method. Note that as space is needed the Android operating system will delete files within the cache directory to reclaim space; however there are no guarantees on if and when this will be done so developers should take it upon themselves to self-manage cache files. If using the SD card is a must, any sensitive information which will be stored externally should be encrypted with a unique key which is stored in a private location.
Since the current permissions model allows any app to read the SD card the average user will have a hard time detecting if an application is accessing data in a malicious way. However, one thing that can be done is to connect your device to a computer via a USB cable. You should then be able to browse the external storage of the device and at least understand what data is being stored as well as what applications may be storing sensitive information in this manner. Unless an app specifically creates its own directory on the external storage, a good place to focus on investigating is the /Android/data directory where each app will have its own subdirectory. While detecting rogue apps may not be possible, uninstalling careless apps and notifying the developers is one way to proactively protect your data from prying eyes.
Cross-posted from SecureState