Exploiting Local Storage: Android Shared Preference Files

[AlexMiller998s]

Risk Rating: Low

Category: Insecure Data Storage

Description: SharedPreferences is an Android API that stores application preferences using simple sets of data values. It allows you to easily save, alter, and retrieve the values stored in a user’s profile.

Impact: Sensitive information should not be saved in cleartext. Otherwise, it can be accessed by any process or user in rooted devices, or can be disclosed through chained vulnerabilities, like unexpected access to the private storage through exposed components.

Remediation Recommendation: Do not store sensitive info or use the EncryptedSharedPreferences API or other encryption algorithms for storing sensitive information

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[lehcar09]

Hi @AlexMiller998s, thank you for raising this. Could you provide specifics on what sensitive information are being exploited here? Aside from that what Firebase Product and version are you using? Thanks!

[AlexMiller998s]

Hi @lehcar09 , Thanks for replying, I'm referring to this:

[lehcar09]

Thank you for sharing that @AlexMiller998s. I'll raise this to our engineers and see what we can do here. We really appreciate developers who are sharing their feedback since this helps us improve our services.