Android Data Storage Locations and What App Developers Do with It from a Security and Privacy Perspective

Many Android apps handle and store sensible data on the smartphone, such as for example passwords, API keys or messages. This information must of course be protected and thus more and more protected storage options and storage isolation techniques were implemented in recent Android version. This results in good security and privacy mechanisms provided to Android developers. However, the question is how well these measures are implemented in todays apps. In this publication, we are presenting an automated dynamic analysis environment which we use to analyze the top 1000 Android apps. Filesystem API accesses of these apps are evaluated and judged how well Android's protected storage locations are leveraged or abused.