Secrets In Shared Preferences

Description

Storing tokens, passwords, or keys in Android SharedPreferences or iOS UserDefaults without encryption allows easy extraction on rooted/jailbroken devices, backups, or via debug tools.

Examples

Android SharedPreferences

adb shell run-as com.example.app cat /data/data/com.example.app/shared_prefs/auth.xml

If tokens/PII are present in cleartext, storage is insecure.

Remediation

Use secure storage
- Store secrets in Keystore/Keychain; encrypt any cached values with hardware‑backed keys.
Minimise and rotate
- Avoid long‑term token storage; rotate refresh tokens and wipe on logout.
Backup controls
- Exclude preference files from backups where secrets might exist.

Haxoris Wiki

Secrets In Shared Preferences

Description

Examples

Android SharedPreferences

Remediation