Storing sensitive information in a public protected database

  LOW  
Detection method   DAST         API  

Description

The application stores sensitive information in a publicly accessible protected database. In general this is not a vulnerability, but it is necessary to make sure that a  

Sensitive data found is used by the system to find its use or  storage in the collected data.

Recommendations

To protect against data interception at runtime, it is necessary to use protection measures to detect application tooling and root access detection. One good way is to use the  DetectFrida and DetectMagiskHide. These libraries implement checks in native code, which makes their analysis and modification much more difficult.

Links

1.  https://github.com/sqlcipher/android-database-sqlcipher

2.  https://github.com/darvincisec/DetectMagiskHide

3. https://github.com/darvincisec/DetectFrida

4. https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/

5. https://darvincitech.wordpress.com/2019/11/04/detecting-magisk-hide/

6. https://github.com/OWASP/owasp-stg/blob/master/Document/0x05d-Testing-Data-Storage.md#sqlite-databases-encrypted