Mobile applications often store sensitive information locally on a device — from credentials and tokens to user-generated content and configuration data. If this local storage isn’t properly secured, attackers can exploit it to access confidential data, escalate privileges, or compromise app integrity.
Tests Performed in Local Storage Security Assessment:
Hidden Secrets in the Code
We scan application binaries and decompiled code for hardcoded credentials, API keys, encryption secrets, and other sensitive data that attackers could recover through static analysis or reverse engineering.
Storing Sensitive Data on Shared Storage
This test identifies whether sensitive data (like tokens, session IDs, or personal information) is stored on shared storage areas such as external SD cards or public directories — which are accessible to any app on the device without restrictions.
Cryptographic Based Storage Strength
We evaluate the strength and implementation of cryptographic protections applied to locally stored data. This includes assessing encryption algorithms, key management practices, and data integrity controls to prevent unauthorized access even if storage is compromised.
Content Providers Access Permissions
Our tests verify whether the application’s Content Providers — which manage structured data access between apps — are properly secured with appropriate permissions, preventing unauthorized or malicious apps from querying or modifying sensitive data.
Content Providers SQL Injection
We assess whether Content Providers are vulnerable to SQL Injection attacks, which could allow attackers to manipulate queries, extract confidential information, or alter stored data through crafted inputs.
Privacy and Metadata Leaks
This test checks for unintentional leaks of sensitive metadata (such as user IDs, location history, timestamps, or device identifiers) that could be accessed by other apps or attackers without proper authorization, contributing to privacy violations.