Snapshot Data Disclosure


Description

The application has a snapshot data disclosure vulnerability. Mobile platforms store snapshots of applications in local storage when the applications are backgrounded. If sensitive data is being displayed at the time of backgrounding, this data may be stored on the phone. Users or malicious applications may also take screenshots of the application causing sensitive data to be stored. Existing apps or attackers with access to the phone can retrieve data from local storage and potentially expose sensitive or private information.

Impact

Snapshotting of applications increases the risk of the exposure of sensitive information. Snapshots of sensitive data may happen incidently during backgrounding of an application or purposely if a user or a malicious application takes screenshots of the application while running. If the application is currently showing data such as credit card numbers, account numbers, SSNs, or other sensitive information, the data could be written to local storage. An attacker with local access to the device or a malicious application on a rooted device may gain access to the data.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply