Clarifying recommendations on Android internal storage encryption

[cpholguera]

As discussed in #3077

• Review and fix https://mas.owasp.org/MASTG/0x05d-Testing-Data-Storage/ to clarify WHEN this is a problem
  • “However, since data stored in a SharedPreferences object …“
  • “Sensitive information should not be stored in unencrypted SQLite databases.“
  • “Files saved to internal storage are containerized by default and cannot be accessed by other apps on the device.”
• Review and fix https://mas.owasp.org/MASWE/MASVS-STORAGE/MASWE-0006/
  • Clarify that incorrect file permission - will never happen after minSDKversion 17 because Context.MODE_PRIVATE is obligatory since API 17
  • Specify what we mean by “app vulnerability”, this can be e.g. an incorrectly exposed content provider.
  • Maybe we need to specify the types of data
    • User sensitive data (encrypted to prospect from other apps on the device and from others obtaining the backup)
    • Proprietary / Business assets (IP) (encrypted to protect from other apps on the device)
• Review and fix https://mas.owasp.org/MASTG/0x05d-Testing-Data-Storage/#backups
  • "If the device was encrypted, then the backup files will be encrypted as well"
  • Specify that the backup can be decrypted by the user’s password. So this is protecting user sensitive data from others (not the users themselves).