Android Local Storage Checks

The user password can be found unencrypted in the following file on the device:


<string name="myAPP_password">]-&xwhjgmd)u3</string>

Although files under /data/data/[app_package_name] are typically only accessible by the app, the contents of that directory can be read by the following methods:

  • rooting the device

  • connecting the phone to a computer and initiating a backup with adb backup -noapk, then analysing the backup contents

  • running a shell in the context of the package and copying the file to an uprotected directory, by issuing the command adb exec-out run-as cat shared_prefs/users.xml /sdcard


Where possible, passwords should not be stored on the device. Instead, perform initial authentication with the username and password and store a short-lived, service-specific authorization token. Alternatively, credentials can be stored in Android's AccountManager.

If storing secrets such as a password is a requirement, use the Android Keystore API to generate a random key when the app runs for the first time and use that key to encrypt secrets with a block cipher such as AES before storing them in Preferences.

Last updated