The protection of sensitive data, such as user credentials and private information, is a key focus in mobile security. Firstly, sensitive data can be unintentionally exposed to other apps running on the same device if operating system mechanisms like IPC are used improperly. Data may also unintentionally leak to cloud storage, backups, or the keyboard cache. Additionally, mobile devices can be lost or stolen more easily compared to other types of devices, so an adversary gaining physical access is a more likely scenario. In that case, additional protections can be implemented to make retrieving the sensitive data more difficult.
Note that, as the MASVS is app-centric, it does not cover device-level policies such as those enforced by MDM solutions. We encourage the use of such policies in an Enterprise context to further enhance data security.
Sensitive data in the context of the MASVS pertains to both user credentials and any other data considered sensitive in the particular context, such as:
Personally identifiable information (PII) that can be abused for identity theft: Social security numbers, credit card numbers, bank account numbers, health information;
Highly sensitive data that would lead to reputational harm and/or financial costs if compromised: Contractual information, information covered by non-disclosure agreements, management information;
Any data that must be protected by law or for compliance reasons.
The vast majority of data disclosure issues can be prevented by following simple rules. Most of the controls listed in this chapter are mandatory for all verification levels.
System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys.
No sensitive data should be stored outside of the app container or system credential storage facilities.
No sensitive data is written to application logs.
No sensitive data is shared with third parties unless it is a necessary part of the architecture.
The keyboard cache is disabled on text inputs that process sensitive data.
No sensitive data is exposed via IPC mechanisms.
No sensitive data, such as passwords or pins, is exposed through the user interface.
No sensitive data is included in backups generated by the mobile operating system.
The app removes sensitive data from views when moved to the background.
The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.
The app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.
The app educates the user about the types of personally identifiable information processed, as well as security best practices the user should follow in using the app.
No sensitive data should be stored locally on the mobile device. Instead, data should be retrieved from a remote endpoint when needed and only be kept in memory.
If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware backed storage which requires authentication.
The app’s local storage should be wiped after an excessive number of failed authentication attempts.
The OWASP Mobile Security Testing Guide provides detailed instructions for verifying the requirements listed in this section.
Android: Testing Data Storage - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md
iOS: Testing Data Storage - https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md
For more information, see also:
OWASP Mobile Top 10: M1 (Improper Platform Usage) - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage
OWASP Mobile Top 10: M2 (Insecure Data Storage) - https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage
CWE 117 (Improper Output Neutralization for Logs) - https://cwe.mitre.org/data/definitions/117.html
CWE 200 (Information Exposure) - https://cwe.mitre.org/data/definitions/200.html
CWE 276 (Incorrect Default Permissions) - https://cwe.mitre.org/data/definitions/276.html
CWE 311 (Missing Encryption of Sensitive Data) - https://cwe.mitre.org/data/definitions/311.html
CWE 312 (Cleartext Storage of Sensitive Information) - https://cwe.mitre.org/data/definitions/312.html
CWE 316 (Cleartext Storage of Sensitive Information in Memory) - https://cwe.mitre.org/data/definitions/316.html
CWE 359 (Exposure of Private Information ('Privacy Violation')) - https://cwe.mitre.org/data/definitions/359.html
CWE 522 (Insufficiently Protected Credentials) - https://cwe.mitre.org/data/definitions/522.html
CWE 524 (Information Exposure Through Caching) - https://cwe.mitre.org/data/definitions/524.html
CWE 530 (Exposure of Backup File to an Unauthorized Control Sphere) - https://cwe.mitre.org/data/definitions/530.html
CWE 532 (Information Exposure Through Log Files) - https://cwe.mitre.org/data/definitions/532.html
CWE 534 (Information Exposure Through Debug Log Files) - https://cwe.mitre.org/data/definitions/534.html
CWE 634 (Weaknesses that Affect System Processes) - https://cwe.mitre.org/data/definitions/634.html
CWE 798 (Use of Hard-coded Credentials) - https://cwe.mitre.org/data/definitions/798.html
CWE 921 (Storage of Sensitive Data in a Mechanism without Access Control) - https://cwe.mitre.org/data/definitions/921.html
CWE 922 (Insecure Storage of Sensitive Information) - https://cwe.mitre.org/data/definitions/922.html