microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard
verified publisher icon AzureAD

[Feature Request] Android shared_prefs should not be used with plain text.

Open awasilik opened this issue 6 years ago • 5 comments

Is your feature request related to a problem? Please describe. Android app security is compromised by storing access and refresh token in SharedPreferences as plain text documents.

Describe the solution you'd like Tokens should be encrypted like in example github Secure Preferences

Describe alternatives you've considered Tokens should not be stored in SharedPreferences, instead there could be used more secure place such as AccountManager.

Additional context Tokens are now stored in: /data/data/<package_name>/shared_prefs

com.microsoft.identity.client.accessToken.xml com.microsoft.identity.client.refreshToken.xml

awasilik avatar Aug 28 '19 06:08 awasilik

  • @shoatman FYI

jmprieur avatar Aug 28 '19 06:08 jmprieur

This should really be opened on the MSAL Android GitHub page to get traction - the decisions around token caching are taken by the Android team.

The current thinking is that SharedPreferences files are only available to the app and to any admin (sudo) user.

Is there an attack pattern that was identified?

bgavrilMS avatar Aug 28 '19 09:08 bgavrilMS

Our pen testers team identified this issue as vulnerability which could potentially expose sensitive user data. We do not need admin access to retrieve those tokens.

awasilik avatar Aug 28 '19 12:08 awasilik

@shoatman : do you plan to do something on MSAL.Android? (@awasilik : we need to have SSO between the MSAL libraries)

jmprieur avatar Sep 23 '19 07:09 jmprieur

Note that the phone needs to be jailbroken to access those files.

bgavrilMS avatar May 23 '24 10:05 bgavrilMS

No plan to enhance our security posture on jailbroken the phone.

iulico-1 avatar Jul 02 '24 16:07 iulico-1