Storing sensitive information in a protected database

		INFO
	Detection method	DAST         API

Description

The application stores sensitive information in a protected database. In general this is not a vulnerability, but it is necessary to make sure that a  strong password

Sensitive data found is used by the system to find its use or  storage in the collected data.

Recommendations

To protect against data interception at runtime, it is necessary to use protection measures to detect application tooling and root access detection. One good way is to use the  DetectFrida and DetectMagiskHide. These libraries implement checks in native code, which makes their analysis and modification much more difficult.

Links

1. https://github.com/sqlcipher/android-database-sqlcipher

2. https://github.com/darvincisec/DetectMagiskHide

3. https://github.com/darvincisec/DetectFrida

4. https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/

5. https://darvincitech.wordpress.com/2019/11/04/detecting-magisk-hide/

6. https://github.com/OWASP/owasp-stg/blob/master/Document/0x05d-Testing-Data-Storage.md#sqlite-databases-encrypted