...
Code Block | ||
---|---|---|
| ||
private String filename = "myfile"
private String string = "sensitive data such as credit card number"
FileOutputStream fos = null;
try {
File file = new File(getExternalFilesDir(TARGET_TYPE), filename);
fos = new FileOutputStream(file, false);
fos.write(string.getBytes());
} catch (FileNotFoundException e) {
// handle FileNotFoundException
} catch (IOException e) {
// handle IOException
} finally {
if (fos != null) {
try {
fos.close();
} catch (IOException e) {
// handle error
}
}
}
|
Proof of Concept
Typically, an application stores files in the directory as follows:
...
Code Block | ||
---|---|---|
| ||
private String filename = "myfile" private String string = "sensitive data such as credit card number" FileOutputStream fos = null; try { fos = openFileOutput(filename, Context.MODE_PRIVATE); fos.write(string.getBytes()); fos.close(); } catch (FileNotFoundException e) { // handle FileNotFoundException } catch (IOException e) { // handle IOException } finally { if (fos != null) { try { fos.close(); } catch (IOException e) { // handle error } } } |
Compliant Solution #2
Securely Securely encrypt the data first, prior to storing it on external storage such as an SD card. A note of caution: many default and non-default behaviors in Android and other cryptographic libraries have been found to use non-secure encryption methods. See DRD17-J, DRD18-J, and [Egele 2013] for more information.
Risk Assessment
Storing sensitive information on external storage can leak sensitive information to malicious apps.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD00-J | medium | probable | medium | P12 | L1 |
Automated Detection
It is possible to automatically detect whether an application writes to external storage. It is not feasible to automatically determine whether such output could be stored internally. At least one automated analysis exists which checks if an Android app follows particular rules for secure encryption [Egele 2013], but those rules are not comprehensive and thus passing the automated checker does not guarantee sound encryption.
...