保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
highCWE-312M9:2024

Insecure Data Storage

Sensitive data like tokens, passwords, or personal information stored in plaintext on the device — in AsyncStorage, SharedPreferences, or local databases without encryption.

How It Works

Mobile devices can be lost, stolen, or accessed by malicious apps with root access. Storing sensitive data in plaintext in AsyncStorage (React Native), SharedPreferences (Android), UserDefaults (iOS), or SQLite without encryption means anyone with physical access or root can read it. This includes auth tokens, personal data, financial information, and cached API responses containing sensitive data.

Vulnerable Code
// Storing sensitive data in plaintext
import AsyncStorage from '@react-native-async-storage';
await AsyncStorage.setItem('user_ssn', '123-45-6789');
await AsyncStorage.setItem('credit_card', '4111-1111-1111-1111');
Secure Code
// Using encrypted storage
import EncryptedStorage from 'react-native-encrypted-storage';
await EncryptedStorage.setItem('user_token', token);
// For sensitive data: store on server, not on device
// SSN and credit cards should never be stored locally

Real-World Example

In 2018, researchers found that the Uber driver app stored session tokens in plaintext in SharedPreferences. A malicious app or rooted device could steal the token and access the driver's account, earnings, and personal information.

How to Prevent It

  • Use encrypted storage (react-native-encrypted-storage, Keychain, EncryptedSharedPreferences)
  • Never store highly sensitive data (SSN, credit cards) on the device
  • Clear sensitive cached data when the user logs out
  • Use the platform's secure enclave for cryptographic keys

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024