Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FVP-02-012 WP5: Unencrypted shared preferences #808

Closed
bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Closed

FVP-02-012 WP5: Unencrypted shared preferences #808

bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Labels
p3 Low Criticality Issues
Projects

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021

During the assessment of the Android app, the discovery was made that the application
does not always consistently use the encrypted shared preference feature provided by
the Android SDK. This may lead to an information disclosure in case a local attacker is
able to get root access to the phone or the data is obtainable via backups (see FVP-02-
008). Sensitive information stored within the shared_prefs data folder in plain-text, such
as user VPN IPs and private keys, could be revealed.

It is advised to use the provided wrapper class called EncryptedSharedPreferences to
encrypt sensitive data stored within the shared_prefs folder, so as to make the
application more robust against the illustrated attacks. The wrapper class uses the
Android Keystore for handling the master key and is used to encrypt/decrypt all other
keysets. For more information, please refer to the official Android guide on storing data
more securely. Additionally, it is also advised to store VPN configuration data via
encrypted shared preferences, which is actually also written to the vpn.moz file in plain-
text.

┆Issue is synchronized with this Jira Task

@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
strseb added a commit that referenced this issue Apr 8, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p3 Low Criticality Issues
Projects
No open projects
v2.2 🚀
Awaiting triage
Development

Successfully merging a pull request may close this issue.

2 participants