Storage of Sensitive Data in a Mechanism without Access Control
This vulnerability occurs when an application saves sensitive information to a storage location that lacks proper access restrictions, allowing unauthorized users or applications to view or modify the data.
Many modern storage systems use access controls to protect data, but not all do. Physical or removable media like USB drives, memory cards, and optical discs often provide full access to any user on the system. In multi-user environments, storing sensitive data on these uncontrolled mechanisms means anyone with system access can potentially read, copy, or alter that information. On Android, a common example is using external storage (like shared device storage or SD cards). This storage is typically globally readable and writable by all apps on the device. Furthermore, the data can often be accessed directly if the device is connected via USB to a computer or if the physical memory card is removed and read by another device.
Impact: Read Application DataRead Files or Directories
Attackers can read sensitive information by accessing the unrestricted storage mechanism.
Impact: Modify Application DataModify Files or Directories
Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.