The broad adoption of smartphones has superseded the desktop computers and laptops as a primary computing platform, due to mobility, constant connectivity and application diversity. Mobile devices encompass storage of extensive information including sensitive ones such as authentication credentials, pictures, videos, personal data, work information, and many more. Thus, securing data stored on mobile devices becomes a critical issue. In this review, we investigate the security of Android storage model between 2013 and 2018. Several threats are found in the literature that can be categorized as physical or software threats. Additionally, the existing solutions for each category are highlighted. Although Android provides valuable encryption systems including full disk encryption and keychain to enhance the data storage security, the encryption key, which is stored in the device, is still vulnerable to physical threats.

Introduction

According to ‘‘Mobile Security Project” under ‘‘The Open Web Application Security Project (OWASP)” (‘‘OWASP Mobile Security Project – OWASP”, Owasp.org, 2016), insecure data storage is one of the leading top 10 security issues in smartphones since sensitive information can be revealed if it is not protected carefully. Unskilled Developers assume that access to the internal memory stores cannot be gained, but an attacker who accesses the device physically can attach the phone to a computer and retrieve sensitive personal information. Moreover, malware applications (apps) and legitimate vulnerable apps can be a threat to sensitive information leakage. A Trojan horse hidden behind legitimate app can perform imperceptible activities with the aim to steal user’s information. Furthermore, attackers who want to access the data might exploit vulnerable apps, such as apps with over-privileged permissions. Smartphone security has been subjected to intensive research work in the past years. Existing review papers presents the state of the art of popular smartphone operating systems (Khan et al., 2015) (Ahvanooey et al., 2017) (Zaidi et al., 2016). Khan et al. showed that mobile malware, similar to Personal Computer (PC) malware, can cause system corruption or reveal private user information (Khan et al., 2015). Also, they demonstrated vital points to ensure mobile security based on restricting malicious activities at several levels; application developer level, application’s store level, and operating system level. Different types of mobile operating systems and software attacks have been discussed in (Ahvanooey et al., 2017). The authors provided a comprehensive overview of mobile threats, vulnerabilities, and countermeasures by reviewing published papers during the period 2011–۲۰۱۷٫ Authors in (Zaidi et al., 2016) studied smartphone security within 2010–۲۰۱۵٫ The authors categorized attacks into old and new attacks and presented possible solutions for each category. Moreover, they showed an estimation of mobile malware growth in 2020.