react-native-firebase icon indicating copy to clipboard operation
react-native-firebase copied to clipboard

Published 20 hours ago verified publisher icon invertase

[🐛] [Security Vulnerability] User Access Token Stored In Plain Text in Device Memory

Open MateuszMatyska opened this issue 5 months ago • 0 comments
trafficstars

Issue

I have identified a critical security issue in the library: user access tokens are stored in plain text on the device’s file system, posing a significant risk if the device is compromised or accessed by unauthorized apps.

Details:

  • Android: The library stores access tokens in:
/data/data/<application_name>/shared_prefs/com.google.firebase.auth.api.Store.[...].xml

These files contain sensitive tokens in clear text.

  • iOS: The library stores access tokens in:
Library/Caches/<app_name>/Cache.db

Tokens are saved without encryption or obfuscation.

Security Impact: Storing tokens in plain text allows any process or attacker with access to the device’s file system (rooted/jailbroken devices, backups, or certain debugging tools) to retrieve valid user tokens, potentially compromising user accounts and exposing sensitive data.

Suggested Solution:

  • Store tokens securely using platform-provided secure storage mechanisms:

    • On Android: Use EncryptedSharedPreferences or the Android Keystore.

    • On iOS: Use the Keychain API.

  • Ensure that sensitive data is never stored in plain text, even in caches or temporary files.

Project Files

Javascript

Click To Expand

package.json:

# N/A

firebase.json for react-native-firebase v6:

# N/A

iOS

Click To Expand

ios/Podfile:

  • [ ] I'm not using Pods
  • [x] I'm using Pods and my Podfile looks like:
# N/A

AppDelegate.m:

// N/A

Android

Click To Expand

Have you converted to AndroidX?

  • [ ] my application is an AndroidX application?
  • [ ] I am using android/gradle.settings jetifier=true for Android compatibility?
  • [ ] I am using the NPM package jetifier for react-native compatibility?

android/build.gradle:

// N/A

android/app/build.gradle:

// N/A

android/settings.gradle:

// N/A

MainApplication.java:

// N/A

AndroidManifest.xml:

<!-- N/A -->

Environment

Click To Expand

react-native info output:

 OUTPUT GOES HERE
  • Platform that you're experiencing the issue on:
    • [ x] iOS
    • [ x] Android
    • [ ] iOS but have not tested behavior on Android
    • [ ] Android but have not tested behavior on iOS
    • [ ] Both
  • react-native-firebase version you're using that has this issue:
    • e.g. 5.4.3
  • Firebase module(s) you're using that has the issue:
    • e.g. Instance ID
  • Are you using TypeScript?
    • Y/N & VERSION

MateuszMatyska avatar May 25 '25 00:05 MateuszMatyska