Insecure SD Card storage security risk – #6 DIVA Solution

Lack of internal storage and ease of use in terms of portability, Android devices provides option of saving things within external SD card memory storage. Along with flexibility here comes security risk. Since there is no per-app OS protection as we observed for App-Sandbox, any app can easily read-write entire SD card storage. Plus it can be removed from one device and accessed from other device without encryption present making it more vulnerable. In any of these case rooting of device is not needed.


The video demonstrates DIVA app, that app login information is visible in clear-text from external SD Card. ( Make sure you fill in the data and save it first, then only data would be populated )


  • Viewing file content from device SD card using your computer
    With ADB Configured in your laptop/computer, connecting physical device via USB & granting ADB connectivity or emulator works directly. Using below commands we can access the file saved inside SD Card:

Method – 1 ADB Shell (root not required)

adb shell

cd /mnt/shell/emulated/0/

ls -la

cat .uinfo.txt
  • If your device is not having external memory card, Android OS can make device storage as emulated external storage. Location of SD Card would differ from device to device. You may require to try below listed mount points as per your device with above ‘cd‘ command:
    /sdcard/     or     /mnt/sdcard/     or    /storage/emulated/0/     or    /mnt/shell/emulated/0/
  • You might observe that to view files we used ls -la, reason behind being file created by the app is hidden as its name is .uinfo.txt (starts with “.” ie a dot ). Developers might trick this to keep file hidden, however -la switch of the command says list all files including hidden.


Method – 2 You can also use any file explorer within your device itself.

Using Android Device Monitor GUI interface which comes by default within Android Studio as shown in the above Youtube video, you would not be only able to see hidden files. If file name starts with a dot “.” , Linux treats it as hidden file, which File Explorer of Android Device Monitor would not be able to show by default.


Realizing the above facts its recommended not to save any sensitive information in cleartext within SD Card such as user personal details, login credentials, Bank details, credit-debit card details, Tokens, PIN, health data, transactional logs, cookies, etc.


  • Best solution is not to save anything within the SD Card in plaintext – either generating it on run time via user input or bringing details making a secure HTTPS call over the internet.
  • Saving passwords only after Salting + Hashing them with strong algo. like SHA2 or Bcrypt
  • Using Android Keystore which allows to store encryption keys safe even on rooted devices, and using these keys to encrypt sensitive data and then save it in SD Card, so that even on moving SD card outside device it would remain encrypted.

Report Errors + Bugs & Become Insider for

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to you could help other peers.