During the assessment of the Android app, the discovery was made that the application
does not always consistently use the encrypted shared preference feature provided by
the Android SDK. This may lead to an information disclosure in case a local attacker is
able to get root access to the phone or the data is obtainable via backups (see FVP-02-
008). Sensitive information stored within the shared_prefs data folder in plain-text, such
as user VPN IPs and private keys, could be revealed.
It is advised to use the provided wrapper class called EncryptedSharedPreferences to
encrypt sensitive data stored within the shared_prefs folder, so as to make the
application more robust against the illustrated attacks. The wrapper class uses the
Android Keystore for handling the master key and is used to encrypt/decrypt all other
keysets. For more information, please refer to the official Android guide on storing data
more securely. Additionally, it is also advised to store VPN configuration data via
encrypted shared preferences, which is actually also written to the vpn.moz file in plain-
text.
During the assessment of the Android app, the discovery was made that the application
does not always consistently use the encrypted shared preference feature provided by
the Android SDK. This may lead to an information disclosure in case a local attacker is
able to get root access to the phone or the data is obtainable via backups (see FVP-02-
008). Sensitive information stored within the shared_prefs data folder in plain-text, such
as user VPN IPs and private keys, could be revealed.
It is advised to use the provided wrapper class called EncryptedSharedPreferences to
encrypt sensitive data stored within the shared_prefs folder, so as to make the
application more robust against the illustrated attacks. The wrapper class uses the
Android Keystore for handling the master key and is used to encrypt/decrypt all other
keysets. For more information, please refer to the official Android guide on storing data
more securely. Additionally, it is also advised to store VPN configuration data via
encrypted shared preferences, which is actually also written to the vpn.moz file in plain-
text.
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: