How to Store Auth Tokens in Routine Apps
What do you do with a login token in your app? OWASP guides list storing a token in local storage as a vulnerability:
M2: Insecure Data Storage | OWASP Foundation
Vulnerable? Really?
I wonder what Google & Apple think about a broad declaration that their app storage is a vulnerability.
Here is the threat:
- adversary physically attains the mobile device
- the adversary hooks up the mobile device to a computer
- roots the phone and then runs Frida or equivalent hacking tools
- sees app directories & files containing PII
- malware steals such information assets.
But basic threat modelling shows this is poorly conceived.
Frida can read the memory of an app, so if you encrypt the storage and then read out the PII or token for use in the app, hackers with physical possession of the phone can read the token from memory with equivalent ease to that for reading storage.
Data storage on iOS and Android phones is quite secure. Good enough for most routine purposes. It’s much safer than for example a browser’s local storage or a cookie.