Sensitive Information Stored in Local Database

XMLWordPrintable

    • Type: Task
    • Resolution: Done
    • Priority: Medium
    • 2.8
    • Affects Version/s: None
    • FLW Sprint 37, FLW Sprint 38, FLW Sprint 39
    • FLW Mobile App
    • All

      Sensitive data (e.g., tokens, passwords, PII) is stored in the device’s local database without proper encryption.

      Impact:
      Compromise of sensitive data if device is rooted or accessed physically.

       

      Vulnerability Name Vulnerable URL CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Observation / Description Impact Recommendation Reference Steps to reproduce
      /data/data/org.piramalswasthya.sakhi.saksham.uat/databases # cat Sakhi-2.0-In-app-database Sensitve Information Stored In Local Database CWE-922 4.2 Medium This vulnerability occurs when an Android application stores user passwords or sensitive information in plain text within its local database. Local databases on Android are often used to store app-related data, and when passwords are stored without proper encryption or hashing, they can be easily accessed and read by anyone with access to the device or the app's database file. This practice is a significant security flaw, as it exposes sensitive user information to potential attackers who may gain access to the device or the app's data. Hash and Salt Passwords: Implement strong cryptographic hashing algorithms (e.g., bcrypt, scrypt) to securely store passwords in the database. Additionally, use salts to enhance security.
      Use Encryption: Consider encrypting sensitive data stored in the database to protect it from unauthorized access, even if the database file is compromised.
      Implement Key Management: Safeguard encryption keys used for data protection and ensure they are stored securely.
      Secure Access Controls: Limit access to the local database to authorized users or processes only.      		 Hash and Salt Passwords: Implement strong cryptographic hashing algorithms (e.g., bcrypt, scrypt) to securely store passwords in the database. Additionally, use salts to enhance security.
      Use Encryption: Consider encrypting sensitive data stored in the database to protect it from unauthorized access, even if the database file is compromised.
      Implement Key Management: Safeguard encryption keys used for data protection and ensure they are stored securely.
      Secure Access Controls: Limit access to the local database to authorized users or processes only.      		 https://cwe.mitre.org/data/definitions/922.html Step 1: During security assessment it was observed that Sensitive information were stored in application's local database.

              Assignee:
              Deep Shikha
              Reporter:
              Shashank Kharkwal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: