TESTING LOCAL STORAGE FOR

SENSITIVE DATA

CHECK ALL APPLICATION GENERATED AND MODIFIED FILES AND

ENSURE THAT THE STORAGE METHOD IS SUFFICIENTLY SECURE.
SHAREDPREFERENCES, SQL DATABASES, REALM DATABASES,
INTERNAL STORAGE, EXTERNAL STORAGE, ETC
Determine the usage of storage
in the app
Check AndroidManifest.xml for read/write external storage permissions, for example, uses-permission
android:name=“android.permission.WRITE_EXTERNAL_STORAGE"

File permissions, such as:

MODE_WORLD_READABLE or MODE_WORLD_WRITABLE: You should avoid using MODE_WORLD_WRITEABLE and

MODE_WORLD_READABLE for files because any app will be able to read from or write to the files, even if they are stored
in the app's private data directory. If data must be shared with other applications, consider a content provider. A content
provider offers read and write permissions to other apps and can grant dynamic permission on a case-by-case basis.

Classes and functions, such as:

the SharedPreferences class ( stores key-value pairs)

the FileOutPutStream class (uses internal or external storage)

the getExternal* functions (use external storage)

the getWritableDatabase function (returns a SQLiteDatabase for writing)

the getReadableDatabase function (returns a SQLiteDatabase for reading)

the getCacheDir and getExternalCacheDirs function (use cached files)

Static Analysis

Hard coding the secrets &

Avoiding bad encryption
Avoiding bad encryption
Encoded/encrypted keys represent another attempt to make
it harder.
Dynamic analysis
Check both internal and external local storage for any files created by the application that contain
sensitive data.

Identify development files, backup files, and old files that shouldn't be included with a production
release.

Determine whether SQLite databases are available and whether they contain sensitive information.
SQLite databases are stored in /data/data/<package-name>/databases.

Identify if SQLite databases are encrypted. If so, determine how the database password is generated
and stored and if this is sufficiently protected as described in the "Storing a Key" section of the
Keystore overview.

Check Shared Preferences that are stored as XML files (in /data/data/<package-name>/shared_prefs)
for sensitive information. Shared Preferences are insecure and unencrypted by default. We have
enforce the use of secure-preferences to encrypt the values stored in Shared Preferences.

Check the permissions of the files in /data/data/<package-name>. Only the user and group created
when you installed the app (e.g., u0_a82) should have user read, write, and execute permissions
(rwx). Other users should not have permission to access files, but they may have execute
permissions for directories.
TESTING LOGS FOR SENSITIVE
DATA

A. ANALYZE SOURCE CODE FOR LOGGING RELATED CODE.

B. CHECK APPLICATION DATA DIRECTORY FOR LOG FILES.
C. GATHER SYSTEM MESSAGES AND LOGS AND ANALYZE FOR ANY
SENSITIVE DATA.
Log Analysis
Functions and classes, such as:

android.util.Log

Log.d | Log.e | Log.i | Log.v | Log.w | Log.wtf

Logger

Keywords and system output:

System.out.print | System.err.print

logfile

logging

logs
Target app specific logs using
ADB

You can also use regex to filter logs further

CHECK WHETHER SENSITIVE DATA IS
SHARED WITH THIRD PARTIES VIA
EMBEDDED SERVICES
CHECK WHETHER SENSITIVE DATA
IS SHARED WITH THIRD PARTIES
VIA NOTIFICATIONS
CHECK WHETHER THE
KEYBOARD CACHE IS DISABLED
FOR TEXT INPUT FIELDS
Start the app and click in the input fields that take
sensitive data. If strings are suggested, the keyboard
cache has not been disabled for these fields.

Alternatively, the developer can use the following

constants:
TEST BACKUPS FOR SENSITIVE
DATA