Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

10 ways your mobile phone leaks your sensitive information

danielmiessler ‎04-08-2014 04:32 PM - edited ‎07-07-2015 12:36 PM


We all use mobile phones, but few of us are aware of how careless they can be with our information. It's not really the phones by themselves, though. It's the applications and how they interact with the operating system.


This article will walk through a few of the common dangers to your data security and privacy that come from poorly coded mobile applications.


Following the leaky data



Here in the Fortify on Demand we see a lot of mobile applications in our testing practice, and it's staggering to see how sensitive information being entered into the app can be leaked and otherwise misused.


It's helpful to think about this from a mobile architecture perspective, i.e. to think about how the data goes from you to your phone, from the phone across the network, and then from the network into some sort of back end.


Here are just a few ways data can be lost in these various categories, starting with the device itself.




When you enter data into your device--sensitive data like credentials and financial data--where does it go? Unfortunately, the answer is that it can get scattered to the wind--even just on the phone or tablet. Here are some examples:


  1. Files: Developers commonly store sensitive data right onto the mobile file system with no data protection whatsoever. This includes data like usernames, passwords, and sensitive application data like PII, financial information, etc. 
  2. Databases: Storing this type of sensitive data in unencrypted SQLite databases is a common occurance. And there's nothing magically secure about a database--it's just a file that can be read like any other. If anything it's just making the data theft more orderly via SQL!
  3. Logs: Another common problem that mobile developers make is storing sensitive data such as credentials and PII in log files. If stored to the primary system log (which is usually what happens) other applications can read this data and do what they want with it!
  4. Photos: Just as with logs, we find mobile apps on a regular basis that capture sensitive data via the camera (or screenshots), and then store it outside of protected space on the device. This means that any other application can read those images.



Not only do we have to worry about what the device is doing with our data, but we also have to think about what's done with it afterwards. Here are some common ways that mobile data is leaked over the network:


  1. Lack of Encryption: Many apps we see just outright lack TLS encryption. This means that if you're using an application to do something sensitive, and you happen to be in a public place, you could be spraying that sensitive data all over the coffee shop (and the street) for anyone to read. 
  2. Weak Encryption: A variation on this is when an attempt is made at encryption, but it's trivial to bypass. This materializes in a number of ways, including trusting any certificate, being able to downgrade from TLS to cleartext, etc.
  3. Legitimate Side-channels: We often test applications for customers where the developer has implemented (benign?) functionality that unknowingly sends data to a third party. A great example of this involves analytics networks: We regularly see these networks taking tokens of sensitive data and sending it back to the analytics network--often without HTTPS!
  4. Malicous Side-channels: Even worse than the accidental side-channel data leakage above, there are also many apps that do this on purpose. Of course the user never knows because the application just looks like it's working normally, but in the background it's collecting what it can and sending it back home.



We've already seen that both the mobile device and the network it uses can be serious sources of data leakage in mobile apps. But we still haven't covered the other piece of the puzzle: the back end storage


One of the easiest ways of breaking into a mobile application is through its back end storage. Here are a few examples of the issues:


  1. Promiscuous APIs: Mobile devleopers are notorious for making the faulty assumption that the only client visiting their mobile back end is the mobile front end. This just isn't true. Back ends are just web sites and APIs, and obscurity does not make security. It's too often trivial to see where the mobile app is interacting and go there manually and extract the crown jewels.
  2. SQL Injection: We'd like to believe that SQL Injection is dead, but it isn't. And with mobile sites it tends to be quite bad when it happens.
  3. XSS and RFI: There are a legion of vulnerabilities that can lead to data loss on a web site or web service, but XSS and RFI are some particular nasty issues that we continue to see in mobile back ends. RFI vulnerabilities, in particular, often lead to gaining full access to the server (and all the data on it).

Know how to protect yourself


The most important thing to take away from all of this is a simple best practice:


  • Realize that when you enter data into a mobile device, that data often gets dropped in various places on your phone, moved across many seperate trust boundaries, sent over multiple networks, and even stored in multiple backends. 

Carefully consider the security and trustworthiness of the mobile application that you're using before you provide it with data you care about.


Whether you're worried about your personal device and data, or you're a corporation looking to enhance your mobile application security, consider reaching out to Fortify on Demand.


As always, feel free to reach out with any questions via Twitter (@danielmiessler) or via email (


: :
Daniel Miessler is a Practice Principal with Fortify on Demand based out of San Francisco, California. His areas of expertise are web and mobile application security testing and building application security programs for the Global and Fortune 100. He can be reached at and on Twitter at @danielmiessler


0 Kudos
About the Author


David Mann
on ‎04-11-2014 08:06 AM

I think the back-end has another leak: whatever we agreed to in the EULA that allows them to share the data you provide to the backend business' partners. 

on ‎04-24-2014 12:41 AM

OH REALLY! So many things? I did knew some of the basic ones but you have come up with a long list and that is quite a real truth. I must say you have nailed it! :)

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all