0

We have created a mobile app that includes a view for payment with credit cards. We have used Cordova so we can pusblish our app for Android and iOS. During some tests an SQLite file was found on /data/data/[package]/app_webview/Web Data. This file includes tables named credit_card and whaever_credit_card. Those who found that file didn't mention if this file actually contains credit card numbers or is empty.

I have search this problem and I have found an explanation for it but I am not sure if it is right:

  • It is a file created by Android web view for credit card autofilling purposes.
  • It can only be accessed with root permissions.

Just to make sure, we are not doing anything with the credit card the user insert in the input field.

Can anyone elaborate on the security risks? Can anyone propose a way to delete the file or disable it with javascript in cordova or plugin?

Anders
  • 64,406
  • 24
  • 178
  • 215
Elo
  • 3
  • 4
  • "Those who found that file didn't mention if this file actually contains credit card numbers or is empty." this is fairly important information. Did you check the file's metadata? If so, what did it say especially concerning author and creation date? – Tom K. Feb 10 '18 at 09:00
  • That test was done by a third party and in the report they state: 'A sqlite file was found (not encrypted of course) that WOULD ALLOW to store sensitive information'. They attached a screenshot of what it seems a sql table description in sqlite browser. They didn't specify anything else, not even the sqlite file full path, just “/app_webview/Web Data”. So when I saw the report, I was a bit pissed off. – Elo Feb 10 '18 at 11:58

1 Answers1

1

The /data/data/packagename/app_webview/* stores the webview cache. The Web Data.db database is the default database that is created to cache the webview data and all the tables such as credit_cards, masked_credit_cards are created by default irrespective of the application using it or not.

First of all I would suggest that you must ask your application auditor to share the POCs(Proof of Concept), if the sensitive details are stored in the local data storage of the application.

I would suggest the following to get rid of the cache:

  1. For the Cordova application you can use this plugin to delete the webview cache.
  2. Alternatively you can programatically delete the folder (/data/data/packagename/app_webview/*) when the webview is destroyed. You can refer this for the logic.

Coming to the security risk, if the credit card details are stored locally then it is a severe risk since the sensitive data stored in the device can be accessed by a malicious user who gains the physical access to the device. Additionally, if the device is rooted i.e. OS security measures are circumvented by the device owner, this data can also be accessed remotely through a malicious application installed on the same device.

Shiv Sahni
  • 921
  • 8
  • 16