The protection of sensitive data, such as user credentials and private information, is a key focus in mobile security. Firstly, sensitive data can be unintentionally exposed to other apps running on the same device if operating system mechanisms like IPC are used improperly. Data may also unintentionally leak to cloud storage, backups, or the keyboard cache. Additionally, mobile devices can be lost or stolen more easily compared to other types of devices, so an adversary gaining physical access is a more likely scenario. In that case, additional protections can be implemented to make retrieving the sensitive data more difficult.
Note that, as the MASVS is app-centric, it does not cover device-level policies such as those enforced by MDM solutions. We encourage the use of such policies in an Enterprise context to further enhance data security.
Sensitive data in the context of the MASVS pertains to both user credentials and any other data considered sensitive in the particular context, such as:
Personally identifiable information (PII) that can be abused for identity theft: Social security numbers, credit card numbers, bank account numbers, health information;
Highly sensitive data that would lead to reputational harm and/or financial costs if compromised: Contractual information, information covered by non-disclosure agreements, management information;
Any data that must be protected by law or for compliance reasons.
The vast majority of data disclosure issues can be prevented by following simple rules. Most of the controls listed in this chapter are mandatory for all verification levels.
System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys.
No sensitive data should be stored outside of the app container or system credential storage facilities.
No sensitive data is written to application logs.
No sensitive data is shared with third parties unless it is a necessary part of the architecture.
The keyboard cache is disabled on text inputs that process sensitive data.
No sensitive data is exposed via IPC mechanisms.
No sensitive data, such as passwords or pins, is exposed through the user interface.
No sensitive data is included in backups generated by the mobile operating system.
The app removes sensitive data from views when moved to the background.
The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.
The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.
The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app.
No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory.
If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication.
The app’s local storage should be wiped after an excessive number of failed authentication attempts.
The OWASP Mobile Security Testing Guide provides detailed instructions for verifying the requirements listed in this section.
Android: Testing Data Storage - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md
iOS: Testing Data Storage - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md
For more information, see also:
OWASP Mobile Top 10: M2 (Insecure Data Storage) - https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage
CWE 922 (Insecure Storage of Sensitive Information) - https://cwe.mitre.org/data/definitions/922.html