Security/Reviews/AppsOnSDcard
From MozillaWiki
Storing apps data on the sdcard
Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats:
- Sensitive app data might be disclosed
- Apps will not be available if sdcard is not present
- App data may be modified (both app code & data)
Threat Model
Moving apps to the sdcard has an effect on a number of threat scenarios.
- Lost device: sdcard is more accessible, potentially exposing app data to disclosure or modification
- Short-term physical access to device ('evil-maid' scenario): removing and copying an sdcard is a more likely scenario than copy data off internal memory
- Malicious docking station (e.g. malicious charging station): usb mass storage controller may provide access to sdcard
- Remote exploit through malicious apps/content: APIs (e.g. DeviceStorage) provide limited access to the sdcard. Malicious content which manages to read/modify data from disk through other vulnerabilities may be able to more easily access data on sdcard than internal /data
Threats
Ref | Threat | Impact | Current controls | Proposed controls |
---|---|---|---|---|
T1 | sdcard could be removed and read on another machine | sensitive app data disclosed | N/A |
|
T2 | sdcard could be removed and modified on another machine | sensitive app data modified. backdoored apps. app data changed/destroyed (e.g. delete user's calendar) | N/A |
|
T3 | sdcard can be accessed via USB mass storage | sensitive app data disclosed or modified | USB mass storage is only accessible when device is unlocked |
|
T4 | sdcard can be accessed via Device Storage API | sensitive app data disclosed or modified | DeviceStorage access controlled by permission, only provides access to specific sub-directories | modify Device Storage API so that it doesn't provide access to app data directories |
T5 | weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | sensitive app data disclosed or modified | /sdcard permissions already restricted ? | Set file permissions with the same restrictions as /data ? |
T6 | apps are not available when sdcard not present | app availability | N/A |
|