App Data Security: Storage Permissions

TL;DR

A malicious app can access data from a secure app if both apps use the same storage location (e.g., external storage) and the secure app doesn’t properly protect its files. Android’s permission system allows read/write access to shared storage, so careful file management and encryption are vital.

Understanding the Risk

Android apps request permissions to access certain features and data on a device. Storage permissions allow an app to read and write files to various storage locations. The main types of storage are:

• Private Storage: Dedicated to the app; other apps can’t directly access it.
• External Storage (Shared Storage): Accessible by multiple apps. This is where the risk lies.

If a secure app stores sensitive data on external storage without encryption, a malicious app with storage permissions could potentially read that data.

How a Malicious App Could Access Data

1. Permission Granted: The user grants the malicious app storage permission.
2. Shared Storage Location: Both apps write to the same directory on external storage (e.g., /sdcard/Documents/).
3. File Listing: The malicious app lists files in that directory.
4. Data Read: If the secure app’s data isn’t encrypted, the malicious app can read its contents.

Protecting Your App’s Data

Here are steps to prevent a malicious app from accessing your secure app’s data:

1. Avoid External Storage for Sensitive Data

The best solution is to store sensitive information in the app’s private storage. This is isolated and inaccessible to other apps without root access.

2. Encryption

If you must use external storage, encrypt all sensitive data before writing it and decrypt it only when needed. Use strong encryption algorithms like AES.

// Example (Java/Kotlin) using AES encryption
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class EncryptionHelper {
  public static String encrypt(String data, String key) throws Exception {
    // ... implementation details for AES encryption ...
    return encryptedData;
  }

  public static String decrypt(String data, String key) throws Exception {
    // ... implementation details for AES decryption ...
    return decryptedData;
  }
}

3. File Permissions (Limited Effectiveness)

While Android permissions control access at a broad level, you can attempt to restrict file-level permissions on external storage. However, this is not foolproof and can be bypassed.

4. Secure Coding Practices

• Avoid Hardcoding Keys: Never store encryption keys directly in your code. Use secure key management techniques (e.g., Android Keystore System).
• Input Validation: Validate all data before writing it to storage to prevent malicious files from being created.

5. Regularly Review Code

Conduct regular security audits of your code to identify and address potential vulnerabilities.

6. Use Android’s Security Features

• Scoped Storage: If possible, use Scoped Storage (introduced in Android 10) which limits an app’s access to only its own files and media.

Checking for Data Exposure

1. ADB Shell Access: Use the Android Debug Bridge (adb) shell to check if your secure data is stored in plain text on external storage.

   adb shell ls /sdcard/Documents/

2. File Content Inspection: If you find files, use adb pull to copy them to your computer and inspect their contents.