Home 0P3N Blog Insecure Data Storage on Android Mobile Phones
Ready to Start Your Career?
Create Free Account
udhayaprakash s profile image
By: udhayaprakash
October 15, 2015

Insecure Data Storage on Android Mobile Phones

By: udhayaprakash
October 15, 2015
udhayaprakash s profile image
By: udhayaprakash
October 15, 2015
 

Insecure Data Storage on Android Mobile Phones

What Does this Mean?Today, cellular networks are becoming a vital element for exchanging the electronic data in low income countries. A problem arises: insecure data storage on mobile phones. This leads to theft of all important data from victims' phones. I’m here to give a Solution for insecure data storage and transmission between the client and server in android. MDCS (Mobile Data Collection System) it’s a system to collect the data from the android mobiles and other mobile phones. When a user authenticated to access the certain application, the data and cookies and auto filling forms are stored inside the internal memory. When a hacker successfully hijack the victim mobile he can able to read the data stored inside the mobile and also he login with that data. This affects almost 99% of mobile in the world. This issue become a big problem for the industries dev.’s and bank apps dev.’s.

What's My Opinion on Solving This Issue?

We can implement an encryption mechanism here. But already the solution applied to this problem, still it’s in risk. What’s that?  The developer think that the application data stored in the client phone is safe because of implemented encryption. So they decided that the data can’t able to read unless he connects to the server and login with his password and Id.  But the hacker cracked this encryption mechanism by rooting or jail breaking his phone, he can able to read the data in respected form. The automated software’s use the brute force and hash decryption method to break the encryption. But my idea is why we can apply the latest encryption technology like SHA (Secure Hash Algorithm) and MD5 encryption. What’s the problem with this? The android supports only the JAVA ME. By  the high encryption leads to unsupported apk for older version mobile. In order to achieve this we have to prepare an intermediate authentication by the application. IEEE Conference Proposed Solution and Its ComplexityOPEN x DATA. This the solution given at the IEEE conference. This stores the application data and transmitted to the server .This application stores the data with encrypted format and hence it can be accessed by only the authorized person know the password. When a successful key is transmitted the application connects to the server. The problem with this auto form filling method and also every time opening the application, we have to enter the password. This take efforts for all apps in the mobile phone. A solution given by IEEE, that’s is EK-encrypted key to login to the application (i.e. this key for opening the encryption and if fails showing error message), when successful key is accepted by the openxdata application it opens the server and connects the client. This take time complexity and seems to be not user-friendly to the users. But the solution is strong to transmit the data in encrypted format and also very efficient way. But openxdata stated that it will accept the all API level, but in some case it won’t support for outdated version of android. My Final Simple Solution for Kinds of Data Storage and TransmissionsInstead of storing the app data in the mobile internal memory, better store in the application supplicant database. Only the user needs the user id and password, with this method the data stored in the  server side storage. When the successful authentication is done, then only the application features must enabled there. If there is a necessary to store the data in user memory then implement the third factor authentication in case there is a detection of brute force methods handling then set a session out time and if fails in three attempts, warn them and make a time delay there. When hacker successfully copy the application data, set MAC authentication and if fails keep a fake self-destroying message and email a message to the authorized user. All this implementation is in the programmer’s hand. If effective program is handled then this method won’t need any costly and high API level configuration phones. When an application data stored in the internal memory of the phone, the EK( encrypted key should be authenticated by connecting the application to the server with the with correct user name and password ) else the application data should encrypted with high hash algorithms. The server connects the application data handler with https transmission medium only. Your suggestions are welcome at: cuptce@gmail.com
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry