Android Local Storage Checks

The user password can be found unencrypted in the following file on the device:

/data/data/com.my.application/shared_prefs/users.xml

<string name="myAPP_password">]-&xwhjgmd)u3</string>

Although files under /data/data/[app_package_name] are typically only accessible by the app, the contents of that directory can be read by the following methods:

• rooting the device

• connecting the phone to a computer and initiating a backup with adb backup -noapk com.my.app, then analysing the backup contents

• running a shell in the context of the package and copying the file to an uprotected directory, by issuing the command adb exec-out run-as com.my.app cat shared_prefs/users.xml /sdcard

Remediation:

Where possible, passwords should not be stored on the device. Instead, perform initial authentication with the username and password and store a short-lived, service-specific authorization token. Alternatively, credentials can be stored in Android's AccountManager.

If storing secrets such as a password is a requirement, use the Android Keystore API to generate a random key when the app runs for the first time and use that key to encrypt secrets with a block cipher such as AES before storing them in Preferences.

AccountManager  |  API reference  |  Android DevelopersAndroid Developers