From MozillaWiki
Jump to: navigation, search

Storing apps data on the sdcard

Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats:

  • Sensitive app data might be disclosed
  • Apps will not be available if sdcard is not present
  • App data may be modified (both app code & data)

Threat Model

Moving apps to the sdcard has an effect on a number of threat scenarios.

  • Lost device: sdcard is more accessible, potentially exposing app data to disclosure or modification
  • Short-term physical access to device ('evil-maid' scenario): removing and copying an sdcard is a more likely scenario than copy data off internal memory
  • Malicious docking station (e.g. malicious charging station): usb mass storage controller may provide access to sdcard
  • Remote exploit through malicious apps/content: APIs (e.g. DeviceStorage) provide limited access to the sdcard. Malicious content which manages to read/modify data from disk through other vulnerabilities may be able to more easily access data on sdcard than internal /data


Ref Threat Impact Current controls Proposed controls
T1 sdcard could be removed and read on another machine sensitive app data disclosed N/A
  • Encrypt all data with device-specific key, or
  • Avoid storage of sensitive data on sdcard
T2 sdcard could be removed and modified on another machine sensitive app data modified. backdoored apps. app data changed/destroyed (e.g. delete user's calendar) N/A
  • Data itegrity checking (i.e. encrypt/sign)
  • Only store subset of app data on sdcard, apps must perform own data validation
T3 sdcard can be accessed via USB mass storage sensitive app data disclosed or modified USB mass storage is only accessible when device is unlocked
  • modify USB mass storage so that it only provides access to part of the sdcard
  • use a different technology to expose media - eg MTP (see bug 748350)
  • add mitigating controls
T4 sdcard can be accessed via Device Storage API sensitive app data disclosed or modified DeviceStorage access controlled by permission, only provides access to specific sub-directories modify Device Storage API so that it doesn't provide access to app data directories
T5 weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier sensitive app data disclosed or modified /sdcard permissions already restricted  ? Set file permissions with the same restrictions as /data ?
T6 apps are not available when sdcard not present app availability N/A
  • Provide some kind of UI to make user's aware that app installed on sdcard

Open Questions