Platform Usage / No Sensitive Data Stored Outside App

Description

No sensitive data stored outside App is a vulnerability (CWE-311) that can arise when an application does not properly secure the data that it stores on remote systems or out of its own scope. This can lead to data theft or data leakage to malicious actors. The vulnerability can occur in iOS, Mobile App, and Android platforms. It can be detected through manual or automated tests. As stated in the OWASP Testing Guide, it is important to ensure that all sensitive data stored outside the application is encrypted and securely stored.

Risk

This vulnerability can result in data or information leakage to malicious actors. This can lead to potential financial losses, reputational damage, and even legal implications. In addition, it can also lead to data breach and privacy violations.

Solution

To prevent this vulnerability, the application must encrypt sensitive data before storing it outside the application. Data should also be securely stored using secure protocols such as TLS and SSH. Furthermore, it is important to ensure that only authenticated users can access the data.

Example

Below is an example from CVE-2020-0437 which is an information leakage vulnerability in the iOS mobile application.

if (error == nil) {
    // Store credentials in Keychain
    [SFHFKeychainUtils storeUsername:username 
    andPassword:password 
    forServiceName:@"MyApp" 
    updateExisting:YES 
    error:&error];
}