# Android Local Storage Checks

The user password can be found unencrypted in the following file on the device:

```normal
/data/data/com.my.application/shared_prefs/users.xml

<string name="myAPP_password">]-&xwhjgmd)u3</string>
```

Although files under /data/data/\[app\_package\_name] are typically only accessible by the app, the contents of that directory can be read by the following methods:

* rooting the device
* connecting the phone to a computer and initiating a backup with `adb backup -noapk com.my.app`, then analysing the backup contents
* running a shell in the context of the package and copying the file to an uprotected directory, by issuing the command `adb exec-out run-as com.my.app cat shared_prefs/users.xml /sdcard`

### Remediation:

Where possible, passwords should not be stored on the device. Instead, perform initial authentication with the username and password and store a short-lived, service-specific authorization token. Alternatively, credentials can be stored in Android's AccountManager.

If storing secrets such as a password is a requirement, use the Android Keystore API to generate a random key when the app runs for the first time and use that key to encrypt secrets with a block cipher such as AES before storing them in Preferences.

{% embed url="<https://developer.android.com/reference/android/accounts/AccountManager>" %}