Data storage is one of the very important features when building Android applications. Android OS comes with the following mechanisms that enable developers to save an app’s data:
- Databases: SQLite database
- Internal or removeable storage
In all cases, as a developer you need to pay attention to its security implication when your apps are working on user sensitive information:
With SQLite database, you may have heard about SQL injection attacks where parts of SQL query or commands are constituted by user’s raw input, whereas Files, Preferences, Internal/External Storage always come with different options serving different purposes of saving data (for example: sensitive data should never be stored in public places such as Downloads folder or external SD card), misuse of such options would result in vulnerable apps that expose user’s sensitive information to malicious third party applications . Therefore, developers should be careful when applying those mechanisms in to their applications. In the next posts, I will share more details on each particular mechanism (SQLite database, Files, Preferences and Internal/External Storage).
 Data Storage in Android: Android Official Documentation
 SQL Injection attack: Prof. Jim Whitehead’s lecture