The mobile application stores sensitive data (credentials, tokens, personal data) insecurely on the device, such as in plaintext files, shared preferences, or unencrypted databases.
An attacker with physical access or malware on the device could extract sensitive data including authentication tokens, personal information, or cached credentials.
Use platform-specific secure storage (iOS Keychain, Android Keystore). Encrypt sensitive data at rest. Avoid storing sensitive data in plaintext files, logs, or shared preferences. Implement data protection flags for stored files.