Insecure Storage

Internal Storage

Android protects the internal storage so apps can only access their own files. i.e. /data/data/<apk_path>

That also means that exploring the internal storage folders in /data/data/<apk_path> is only possible on a rooted phone or emulator.

THis internal directory includes

1. shared_prefs

2. files

3. caches

4. databases & etc

When in android you do clear cache(if you remember that) it actually clears content inside cache directory

The shared preferences are very convenient to store various values such as user settings.

As an app developer you might not realise that under the hood the shared preferences are actually stored in an XML file inside the ./shared_prefs/ internal storage folder. They are also often used to store access tokens or other kinds of secrets. In itself that's not an issue, but this makes shared preferences a very interesting target for stealing or overwriting internal files.

Many apps use SQLite3 to store more complex data structures in the internal storage. The android application Context offers useful functions such as openOrCreateDatabase() to create or access the database stored in the internal application storage. i.e. database folder

Android should also have the sqlite3 tool installed to interact with database files directly.

All of these folders are accessible by app only and other apps can't access this directory.

External storage

Apps do store data in external storage which they think is dafe to share with other apps.

Historically the external storage was stored on a physically accessible SD card. That's why the external storage folder is called /sdcard/, even though on modern phones without an SD card slot it's technically also "internal phone" storage.

Nowdays these folders exists but they are symlinks to another internal directories.

External File Access Permissions

Back in the days, the external storage was considered "insecure", because every app could access all the data on it. Also it was easy to physically remove the SD card and steal its content. Thus you still see various tutorials and tools flagging "use of external storage" as an issue.

Since Android 11 the access to the "external storage" has been greatly reduced to a point where it is almost equal to protection as the internal storage. That's why you should look closely at the supported Android versions of an app, and look at the real world version usage when assessing the risk and impact of a storage related issue.

It should also be noted that various phone vendors might mess with the folder and file permissions. So you should always try to test issues related to file access on various Android versions and devices.

Google's Mobile VRP for example requires issues to be reproducible in latest Android version:

Non-qualifying issues:

• [...]

• Vulnerabilities that do not work on the latest available operating system version

This means that issues that were exploitable in old Android versions are probably not considered valid.

Scoped storage

Data and file storage overview  |  App data and files  |  Android DevelopersAndroid Developers

As you can see even thought files are located in sdcard folder there is folders with app name, which means only those apps can access those files. i.e. scoped external storage.

Since Android 10, and especially Android 11, the scoped storage feature basically turned the "external storage" into a well protected storage similar to the traditional "internal storage".

""To give users more control over their files and to limit file clutter, apps that target Android 10 (API level 29) and higher are given scoped access into external storage, or scoped storage, by default. Such apps have access only to the app-specific directory on external storage, as well as specific types of media that the app has created.""

it is recommend to not just blindly report apps that use external storage, but rather carefully investigate and test whether you can actually access or leak these files or not. Impact always depends on the Android version usage and what API levels an app supports.

While apps can still use the permission MANAGE_EXTERNAL_STORAGE on Android 13+ to request access to all files on external storage, additionally the user must be directed to a special settings page where they have to enable "Allow access to manage all files" for the app.

Manage External Storage

While the scoped storage heavily protects the external storage, there is still one exception. There exists the MANAGE_EXTERNAL_STORAGE dangerous permission that can be requested by apps to still read the external storage files. This permission is only available to apps in the Play Store with an exception, or via side-loading. Thus limiting the impact and risk a lot. Though the risk is not completely mitigated, so depending on the unique threat-model of an app, you might still want to consider a malicious app to have this permission.