In our last article, we wrote about communicating securely with SSL.
That is why we are looking at another important issue in this regard today.
What about storing data in a mobile application?
Data storage is a wide-ranging issue. In the following chapters and articles we look at all the topics in peace. Here, Android and iOS are different, although there are also some similarities.
Data Storage in iOS
- Screenshots as a source of danger in iOS,
- Web cache in iOS,
- Local Storage in iOS,
- User Preferences in iOS,
- Keychain in iOS,
- Privacy API in iOS
Data storage in Android
- Screenshots as a source of danger in Android
- Web Cache in Android
- Internal storage in Android
We plan this 9-post series and usually we publish a new post every Tuesday. First, we write about screenshots as a source of danger in iOS and screenshots as a source of danger in Android.
Why is data storage relevant?
It is advisable to consider what sensitive data is stored on the device as it is available for an attack. Ideally, sensitive information (including passwords, encryption keys, API keys, credit card details, etc.) should either be stored and received by the server or entered by the user if necessary. In this way, an attacker gains nothing of value when he sees the data of an application.
Protecting all sensitive data is often a difficult task because the device logs or stores data access in a cache and we don’t necessarily have that under control. To make sure everything is considered, we will provide a checklist of things later in this series of articles that would allow for better handling of data.
There is also a lot of information and data that does not relate directly to the user, but to your company. The developer of the application. This information is available to an attacker in any case. An application IPA (iOS) or APK (Android) is technically for the first time nothing more than a ZIP file that can be unpacked with any traditional ZIP program.
General notes on data storage in mobile applications
Make sure that the application does not store sensitive data such as private keys, email addresses, passwords, or the like in the application.
Occasionally, an application needs access to an API key. If these are sensitive, you should create a proxy service to access the web service. With this approach, the API key is only available on the proxy service and the normal authentication techniques we use can be used to help the user or the user. To authenticate the mobile application to the proxy.
Do not miss an article from the series!
Subscribe to our newsletter so you don’t miss any articles out of this series.
You can unsubscribe at any time.
We send updates to our articles every Tuesday and Thursday.