Mobile Vulnerabilities Exposed: Data at Rest

Mobile Vulnerabilities Exposed: Data at Rest

For Part Two of the exposing data vulnerabilities webinar, Brian Robison and Steven Smiley discussed how data is stored and protected within iOS and Android devices. 

Watch the entire webinar for all the details, or keep reading to learn more about exposing vulnerabilities in data at rest.

Pentesting iOS and Android Challenges

Pentesting mobile applications can be costly and time-consuming. One reason: getting specific devices with a particular OS version can be difficult. 

Access within those devices complicates the issue: Are they jailbroken or rooted? Managing devices, installing and configuring security tools and tweaks can take a lot of time. Virtualization solves this problem, allowing you to take a snapshot of a configured device and restore to a perfect state within seconds.

iOS Mobile Device Storage

iOS application data can be stored in the device Keychain, NSUserDefaults, Application Databases, and PLIST files (property files) on iOS devices. Unfortunately, developers store data everywhere, even where they shouldn’t.

Keychain Storage

Most people think keychain storage is impenetrable, but data stored there can be accessed. Threat researchers can use Objection Runtime Exploration, Frida scripts, or third-party tools to dump the keychain, exposing potentially sensitive data in plain text with just a few keyboard commands and access to a device.

Data stored in the iOS keychain also relies on attributes to enhance security protections. Attributes are used to specify various aspects of the data, such as accessibility and authentication requirements. It is important to ensure that you know how your application uses the Keychain, is your data encrypted? What attributes are being utilized to increase the overall security of your data.


NSUserDefaults is an iOS mechanism for storing small amounts of user data persistently. Typically these are used for non-sensitive data such as user settings, preferences, etc. Using a Frida script or even a framework like Objection the NSUserDefaults for an application can be viewed in plaintext. These should always be reviewed as part of a security assessment to ensure no sensitive data is being stored within.

iOS Application Databases

iOS applications utilize a variety of databases, including SQLite, Core Data and Realm, to store user data such as settings, preferences and even app-specific personal data.

Within Corellium, you can easily browse the iOS local data storage, download it, and review it to find potential storage related vulnerabilities. Corellium offers root access for all iOS versions.

PLIST Files (Property Files)

PLIST files may be stored within the IPA structure or local data directories of iOS applications. They can often expose sensitive data such as API Keys, usernames, and passwords. Any plain text data stored locally (within mobile containers) can be accessible and read easily using XCode or additional third-party tools. 

Android Mobile Device Storage

Android applications tend to store user data in Shared Preferences, External Storage, and various Application Databases.

Shared Preferences

Shared preferences use an XML file to store primitive data in key-value pairs. This is suitable for storing application preferences, but not sensitive data, as the file is accessible to anyone. These are stored in the application local data directory and are easily discoverable. Corellium can provide you quick access to identify these files and determine if there is any potential sensitive data exposed.

External Storage 

Data stored within external storage, such as SD cards become vulnerable if the files are set to be word-readable, potentially exposing sensitive information. Even if you uninstall an application, any data that was stored within the external storage will persist and should be reviewed as part of a security assessment.

Android Application Databases

Android applications commonly use encrypted or unencrypted SQLite, Realm, or Firebase databases stored locally. Unencrypted data poses a risk as it’s easily accessible to anyone with device access. Encrypted data could also be vulnerable depending on where the key/passphrase is stored.

Secure Data at Rest

A few tips on how to protect mobile app data include:

  • Sensitive data should be stored in the Keychain and should be encrypted where possible and utilize secure Keychain attributes.
  • Never store credentials or sensitive API keys in plain text.
  • Always encrypt the data stored within a database or encrypt the entire database itself.
  • Don’t store sensitive data in NSUserDefaults, shared preferences, or local data storage locations.
  • Use Corellium to thoroughly test for vulnerabilities with data at rest.

Watch the full webinar on-demand to learn more about how to use Corellium for mobile app testing and advanced analysis of your app.