You are Emma Rodriguez, an ethical hacker at SecurePath Solutions, hired to test the mobile...

The finding described maps directly to Insecure Data Storage. In CEH-aligned mobile security guidance and OWASP Mobile risk discussions, insecure data storage occurs when a mobile application saves sensitive information locally in a way that can be easily recovered by an attacker, especially on a rooted or jailbroken device where sandbox protections can be bypassed. Storing usernames and passwords in plain text is a high-severity example because it allows immediate account takeover and enables access to protected client records, case notes, and other confidential material.

Mobile devices routinely store app data in local file systems, shared preferences, databases, logs, or cached content. If sensitive data is stored without proper protections, an attacker with physical access, malware, backup extraction capability, or root access can read it directly. CEH materials emphasize that rooting dramatically increases attacker capability by permitting access to app directories and system areas that would otherwise be restricted. That is exactly what the scenario shows: credentials are recovered from the device once root access is available.

The best practice mitigation is to never store credentials in plain text. Use secure, OS-provided storage such as Android Keystore or iOS Keychain, apply strong encryption with keys protected by hardware-backed mechanisms when available, minimize what is stored locally, and ensure secrets are not written to logs or debug artifacts. Insecure Communication would involve weak transport protections, and Improper Credential Usage can include hardcoded credentials or poor authentication handling, but the specific issue here is plainly unsafe local storage of credentials, so Insecure Data Storage is the correct choice.