PTKDMobile App Security
Knowledge base / PTKD-DYN-EXTERNAL-SENSITIVE
medium M9 MASVS-STORAGE-2 dynamic analysis PTKD-DYN-EXTERNAL-SENSITIVE

Sensitive data written to external storage

A file with sensitive-looking content/name was written to external (world-accessible) storage.

How it's exploited

Sensitive content landed on external/shared storage, which other apps can read (broadly on older Android, via media/documents APIs on newer). It also survives app uninstall.

Why it matters

Cross-app readable copies of private data, outside your app's sandbox and deletion lifecycle.

How to fix it

  1. Write private data to internal storage (Context.filesDir) or scoped app-specific external dirs.
  2. If exporting is a feature, encrypt the export or hand it off via the system share sheet instead of dropping files.

References