Identity Management / Insecure Password Storage

Description

Insecure password storage is a vulnerability of the Identity Management CWE-257 category, which occurs in Android, iOS and Mobile App. It is defined as the lack of encryption and secure storage of user credentials, such as passwords, on client systems. This can allow attackers to gain access to sensitive user information and data if they are able to get access to the user's device. According to the OWASP Testing Guide, this vulnerability should be tested by verifying that credentials are stored in an encrypted form and that authentication is done over a secure connection.

Risk

This vulnerability can lead to a high risk of user data being stolen and abused. If user credentials are stolen, attackers may be able to gain access to the user's account, compromising their security and privacy. Additionally, attackers may be able to use the stolen credentials to impersonate the user and gain access to sensitive data or applications.

Solution

To prevent this vulnerability, it is important to ensure that user credentials are stored in an encrypted form and that authentication is done over a secure connection. Additionally, strong passwords should be enforced and Multi-Factor Authentication (MFA) should be used whenever possible.

Example

The following is an example of insecure password storage in an Android application:

String storedPassword = "password";
String enteredPassword = userInput.getText().toString();
if(storedPassword.equals(enteredPassword))
{
    // User logged in
}
else
{
    // User not logged in
}

This code does not use any encryption or secure connection to authenticate the user and is thus vulnerable to attack.