Mobile Threat Catalogue

Insecure Credential Storage

Contribute

Threat Category: Authentication: User or Device to Network

ID: AUT-12

Threat Description: OS APIs provide access to device locations to properly store sensitve credentials. Improper storage of credentials could lead to unauthorized access or exposure.

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

Not Applicable

CVE Examples

Not Applicable

Possible Countermeasures

Mobile App Developer

Follow best practices for storing sensitive material such as using short-live tokens and the AccountManager on Android and Keychain for iOS. 12

To mitigate the risk associated with a stolen credential, use authentication protocols that generate unpredictable one-time cryptographic tokens that are replay-resistant (e.g. public key authentication, FIDO Alliance protocols)

Mobile Device User

Educate users that Oauth 2.0 style authorization request from native applications should only be made through external user-agents (system browser)

References

  1. Security Tips, https://developer.android.com/training/articles/security-tips.html [accessed on 8/24/2016] 

  2. GenericKeychain, https://developer.apple.com/library/ios/samplecode/GenericKeychain/Introduction/Intro.html#//apple_ref/doc/uid/DTS40007797 [accessed 8/25/16]