When Local Storage Becomes a Liability: Why Data-at-Rest Security Matters

In recent years, we’ve seen a recurring theme in security research and real-world incidents: apps storing sensitive information insecurely in local storage. While developers often prioritize protecting data in transit through protocols such as HTTPS and TLS, data at rest on a device is just as valuable to attackers. A stolen token, database, or plaintext file can be as damaging as an intercepted password.

Lessons From Real-World Incidents

Several high-profile cases illustrate how local storage missteps have led to breaches and abuse:

• In the early 2010s, WhatsApp stored entire chat histories in unencrypted SQLite databases on Android devices. Because these were saved on an SD card, any app with storage permissions, or malware, could access and exfiltrate private conversations.
• Years later, in 2017, researchers discovered that Slack’s Electron-based desktop client stored authentication tokens in plaintext on the local file system. A local attacker or malware running on the machine could simply copy these tokens and hijack Slack accounts. Even in 2021, a variant of this issue was still exploitable.
• In 2021, WhatsApp hit the news again for storing cryptographic material in the external storage.
• In 2022, Microsoft Teams came under scrutiny when security firm Vectra AI revealed that the app stored cleartext authentication tokens on disk, which meant that attackers with local access could impersonate users with ease.

These incidents highlight the risks that arise when sensitive data is left unprotected in local storage—the device itself becomes a weak link in the chain.

How Attackers Exploit Local Storage

The threat model for local storage attacks typically falls into a few scenarios:

• Malware or rogue apps can scan local files, databases, or caches in search of secrets, while attackers with physical access to a stolen or lost device can perform forensic analysis to extract files.
• Insecure backups, such as iTunes or adb extractions, also provide an avenue for offline data theft.
• On older versions of Android, shared storage permissions meant that one app with external storage access could freely read the data of others.

In each of these scenarios, the attacker doesn’t need to break network encryption; they only need to grab what has already been decrypted and stored.

Rooted and jailbroken devices add another layer of risk. With Google further tightening its developer verification processes and beginning to reject installations of non-verified apps, rootkits are expected to become a popular workaround. Unfortunately, this opens the door for malware and spyware that exploit device modifications to bypass built-in security restrictions. Malware can exploit flawed rootkits to gain elevated privileges, allowing it to scan storage, steal secrets, and tamper with applications with ease. In 2015, the KeyRaider malware exploited poor app keychain handling on jailbroken iOS devices, resulting in the theft of Apple account credentials from over 200,000 users. As such, rooting and jailbreaking will likely remain an attractive attack vector for data theft in the evolving mobile ecosystem.

Building a Strong Defense for Data at Rest

This is why data-at-rest encryption is so critical. Protecting sensitive files and databases ensures that even if local storage is accessed, the contents remain unintelligible without the proper keys.

Developers can mitigate risk by applying several best practices:

• Sensitive files should be encrypted using strong cryptographic libraries rather than left in plaintext.
• For structured data, encrypted database solutions such as SQLite extensions should be considered.
• Developers should take advantage of secure storage APIs (Android Keystore, iOS Keychain, and Windows DPAPI) that should be used for secrets and tokens. Token lifetimes also play an important role: short-lived, refreshable tokens are far safer than long-lived ones that can grant prolonged access if compromised.
• Organizations should encourage device-level protections, such as enabling disk encryption and secure lock screens, which add additional barriers against local attacks.

While developers cannot control every threat vector, they can control how their apps handle data at rest. History has repeatedly shown that insecure local storage is a common and easily exploitable attack surface, and attackers are well aware of this fact. By prioritizing data-at-rest security and implementing robust file encryption strategies, organizations can significantly reduce the likelihood that a stolen device or compromised app environment leads to stolen identities, leaked conversations, or hijacked accounts.

Taking Your Encryption Further

For teams that want to go beyond standard platform APIs, solutions such as the upcoming release of Digital.ai White-box Cryptography Agent can simplify this process by providing access to an advanced white-box cryptography library with an extremely simple API and seamless integration into existing apps.

Beyond ease of use, Digital.ai White-box Cryptography Agent also helps mitigate the common risk of cryptography misuse, such as hardcoding secrets directly in applications. By relying on white-box key implementations that are extremely difficult to extract, and offering an API designed to prevent common pitfalls, Digital.ai White-box Cryptography Agent enables developers to adopt strong encryption practices without adding unnecessary complexity to their workflows. Combined with obfuscation and anti-tampering solutions, these practices can further raise the bar for attackers and reduce the likelihood of data exposure in compromised environments.

Conclusion

Protecting data on a user’s device is just as critical as protecting the same data in transit across a network. By applying strong encryption, leveraging secure storage APIs, and adopting layered device-level protections, developers can significantly reduce the risk that stolen devices or compromised applications lead to exposed credentials, hijacked accounts, or leaked sensitive information. Prioritizing these practices transforms local storage from a weak link into a robust component of overall application security.