Security Audit: Critical credential storage and encryption issues #151
Description
Security Audit Report
A comprehensive security audit revealed several issues that should be addressed. This issue tracks the most critical findings.
🔴 CRITICAL Issues
1. Cleartext Password Stored in Memory/Settings
Files:
lib/features/authentication/data/models/user_data.dart(line 13)lib/features/authentication/domain/providers/user_data_provider.dart(lines 48, 59, 91, 97, 136, 154)lib/core/services/backup_service.dart(line 42)
Problem: The UserData.clearPassword field stores the raw password in memory and persists it to settings.json.
Risk: Passwords extractable from memory dumps or file system access.
Fix:
- Remove
clearPasswordstorage entirely - Derive session tokens instead of storing passwords
- Use
flutter_secure_storagefor any credential retention
2. Supabase Credentials Stored Unencrypted
File: lib/features/synchronization/data/models/supabase_settings.dart
Problem: Supabase URL, anon key, email, and password stored in plaintext in settings.json.
Risk: File system access exposes cloud credentials and user's Supabase password.
Fix:
- Encrypt credentials using AES before persistence
- Prompt for password on-demand rather than storing
- Store only the anon key in plaintext (it's already public)
3. Debug Credentials in .env File
File: .env
DEBUG_AUTO_LOGIN=true
DEBUG_USERNAME=testuser
DEBUG_PASSWORD=12345678
Risk: Credentials in version control, could be left enabled accidentally.
Fix:
- Add
.envto.gitignore - Load only from CI/CD secrets
- Remove fallback credentials in production builds
🟠 HIGH Severity Issues
4. No Password Strength Requirements
File: lib/features/authentication/domain/providers/user_data_provider.dart
Problem: No password validation - users can set weak passwords.
Fix:
- Minimum 12 characters
- Require uppercase, lowercase, numbers, special chars
- Add password strength meter in UI
5. Optional Backup Encryption
File: lib/core/services/backup_service.dart (lines 63-152)
Problem: If clearPassword is empty, backups are created in plaintext with all diary data.
Fix:
- Require backup encryption unconditionally
- Derive key from device PIN or user-provided backup password
6. Biometric Password Storage
File: lib/core/services/biometric_service.dart (lines 91-102)
Problem: Raw password stored in flutter_secure_storage without additional encryption.
Fix: Encrypt password before storing, or use derived tokens instead.
🟡 MEDIUM Severity Issues
7. No HTTPS Enforcement for Supabase
File: lib/features/synchronization/data/repositories/supabase_api.dart
Fix: Validate URL starts with https://, implement certificate pinning.
8. Verbose Logging in Production
File: lib/core/log/logger_instance.dart
Problem: Logger initialized at Level.trace - could log sensitive data.
Fix: Default to Level.warning in production, never log passwords/PII.
9. File Extension Not Validated
File: lib/core/services/image_storage_service.dart
Fix: Whitelist allowed extensions (.jpg, .png, .gif, .webp).
🟢 LOW Severity Issues
10. Fixed IV in String Encryption
File: lib/core/encryption/aes_encryptor.dart
Problem: encryptString() uses fixed IV, violating CBC best practices.
Fix: Always use random IV, deprecate fixed-IV method.
11. No Input Validation on Registration
File: lib/features/authentication/presentation/pages/auth_user_data_page.dart
Fix: Add client-side validation for username, email format.
Summary Table
| Issue | Severity | Category |
|---|---|---|
| Cleartext password storage | 🔴 CRITICAL | Password Storage |
| Unencrypted Supabase credentials | 🔴 CRITICAL | Cloud Security |
| Debug credentials in .env | 🔴 CRITICAL | Secrets Management |
| No password strength validation | 🟠 HIGH | Authentication |
| Optional backup encryption | 🟠 HIGH | Data Protection |
| Biometric password not encrypted | 🟠 HIGH | Secure Storage |
| No HTTPS enforcement | 🟡 MEDIUM | Network |
| Verbose logging | 🟡 MEDIUM | Logging |
| File extension not validated | 🟡 MEDIUM | File Operations |
| Fixed IV encryption | 🟢 LOW | Cryptography |
| Missing input validation | 🟢 LOW | Input Handling |
Recommended Priority
- Immediate: Remove cleartext password from
UserDataand settings - Immediate: Encrypt Supabase credentials
- High: Add password strength validation
- High: Make backup encryption mandatory
- Medium: Add HTTPS validation
- Medium: Fix logging levels
Acceptance Criteria
-
clearPasswordfield removed fromUserData - Supabase credentials encrypted before storage
-
.envadded to.gitignore - Password strength validation added (12+ chars, complexity)
- Backup encryption made mandatory
- HTTPS URL validation for Supabase
- Production logging level set to warning
- File extension whitelist for attachments