The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
Ensure sensitive data stored on the device, such as user credentials or personal information, is protected using strong encryption and secure storage mechanisms. Implement data-at-rest encryption standards to prevent unauthorized access if the device is lost or compromised.
Secure storage of sensitive data to ensure that applications securely store sensitive data originating from various sources, including users, backend systems, or system services. Storage locations may vary, such as private internal app storage or public locations like downloads folders accessible by users or other apps. The app must ensure that all sensitive data is appropriately encrypted and protected, regardless of the storage location, thereby safeguarding against unauthorized access or tampering. Consider prevention of data Leakage to ensure that sensitive data is not unintentionally stored or exposed in publicly accessible locations, which may occur due to APIs, system capabilities (e.g., backups or logs), or developer oversight. Developers should identify and mitigate risks of unintentional data leaks by applying security controls, such as encryption and appropriate data handling practices, ensuring sensitive information remains confined to secure environments.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-04-01-01-01 | Implement secure storage mechanisms for sensitive data | Use secure storage options such as the device's secure enclave, keychain, or encrypted internal storage to store sensitive data like user credentials or tokens. | Development | Development teams, Security team |
| SSS-02-04-01-01-02 | Prevent unintentional data leakage | Configure app logs, backups, and public storage APIs to avoid unintentional exposure of sensitive data. Ensure debug logs do not include sensitive information. | Development | Development teams, QA team |
| SSS-02-04-01-01-03 | Perform regular security audits and tests | Conduct security audits and static code analysis to identify unintentional data storage in public locations or potential data leaks caused by misconfigurations. | Development | Security team, QA team |
| SSS-02-04-01-01-04 | Use encryption for data-at-rest | Encrypt all sensitive data stored on the device, whether private or public, using strong encryption standards such as AES-256. Ensure encryption keys are securely managed. | Development | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1922) The Open Worldwide Application Security Project (MASVS-STORAGE) The Open Worldwide Application Security Project (MASVS-STORAGE) |