Exploiting Local Storage: Android Shared Preference Files
Closed this issue · 5 comments
Risk Rating: Low
Category: Insecure Data Storage
Description: SharedPreferences is an Android API that stores application preferences using simple sets of data values. It allows you to easily save, alter, and retrieve the values stored in a user’s profile.
Impact: Sensitive information should not be saved in cleartext. Otherwise, it can be accessed by any process or user in rooted devices, or can be disclosed through chained vulnerabilities, like unexpected access to the private storage through exposed components.
Remediation Recommendation: Do not store sensitive info or use the EncryptedSharedPreferences API or other encryption algorithms for storing sensitive information
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Hi @AlexMiller998s, thank you for raising this. Could you provide specifics on what sensitive information are being exploited here? Aside from that what Firebase Product and version are you using? Thanks!
Hi @lehcar09 , Thanks for replying, I'm referring to this:
Thank you for sharing that @AlexMiller998s. I'll raise this to our engineers and see what we can do here. We really appreciate developers who are sharing their feedback since this helps us improve our services.
Hey @AlexMiller998s, as per our Engr.
We understand why it might be concerning to see this behavior. In FCM we rely on the app server authentication to our server as our primary security. The FCM reg token is an identifier that can be used to send a message directly to a single app instance but only when properly authenticated by server auth. In this same way, FCM topics can be used to send to many app instances without the use of an FCM reg token but it still requires that the server authenticate the send request with FCM servers.
With that, I'll be closing this issue now. Let me know if there are misunderstanding so we can re-open the issue. Thanks!