DerScanner
Home / Vulnerability Database / Android : Unsafe internal storage (SharedPreferences)
Android

Android : Unsafe internal storage (SharedPreferences)

Classification

OWASP Mobile Top 10 2014
M2-Insecure Data Storage
OWASP Mobile Top 10 2016
M2-Insecure Data Storage
OWASP Top 10 2017
A3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure Design
OWASP MASVS
V2: 2.1.(L1/L2/L1+R/L2+R)V2: 2.13.(L2/L2+R)V2: 2.14.(L2/L2+R)
CWE
CWE-200CWE-250CWE-312CWE-313CWE-522CWE-921CWE-922CWE-940
CWE/SANS Top 25 2011
CWE-250
CWE/SANS Top 25 2021
CWE-200CWE-522

Overview

The application stores confidential information insecurely.

Valuable data is protected on an Android device via the SharedPreferences class. Although by default information in SharedPreferences is only available to the corresponding application, it will not stop an attacker who has physical access to the device.

Furthermore, using MODE_WORLD_READABLE opens read access to SharedPreferences for all applications.

References

  1. OWASP Top 10 2013-A6-Sensitive Data Exposure
  2. CWE-359: Exposure of Private Information (‘Privacy Violation’)
  3. CWE-250: Execution with Unnecessary Privileges
MEDIUM

DerScanner Severity Score

Do you want to fix Android : Unsafe internal storage (SharedPreferences) in your application?

See also

Android

Android : Debug mode on

Android

Android : Error handling: generic exception

Android

Android : HTTP usage