Skip to content

[🐛] [Security Vulnerability] User Access Token Stored In Plain Text in Device Memory #8544

New issue
New issue
Open
Open
[🐛] [Security Vulnerability] User Access Token Stored In Plain Text in Device Memory#8544
Labels
Needs Attentionplugin: authenticationFirebase Authenticationtype: enhancementImplements a new Feature
@MateuszMatyska

Description

@MateuszMatyska
MateuszMatyska
opened on May 25, 2025

Issue

I have identified a critical security issue in the library: user access tokens are stored in plain text on the device’s file system, posing a significant risk if the device is compromised or accessed by unauthorized apps.

Details:

  • Android: The library stores access tokens in:
/data/data/<application_name>/shared_prefs/com.google.firebase.auth.api.Store.[...].xml

These files contain sensitive tokens in clear text.

  • iOS: The library stores access tokens in:
Library/Caches/<app_name>/Cache.db

Tokens are saved without encryption or obfuscation.

Security Impact:
Storing tokens in plain text allows any process or attacker with access to the device’s file system (rooted/jailbroken devices, backups, or certain debugging tools) to retrieve valid user tokens, potentially compromising user accounts and exposing sensitive data.

Suggested Solution:

  • Store tokens securely using platform-provided secure storage mechanisms:

    • On Android: Use EncryptedSharedPreferences or the Android Keystore.

    • On iOS: Use the Keychain API.

  • Ensure that sensitive data is never stored in plain text, even in caches or temporary files.

Project Files

Javascript

Click To Expand

package.json:

# N/A

firebase.json for react-native-firebase v6:

# N/A

iOS

Click To Expand

ios/Podfile:

  • I'm not using Pods
  • I'm using Pods and my Podfile looks like:
# N/A

AppDelegate.m:

// N/A

Android

Click To Expand

Have you converted to AndroidX?

  • my application is an AndroidX application?
  • I am using android/gradle.settings jetifier=true for Android compatibility?
  • I am using the NPM package jetifier for react-native compatibility?

android/build.gradle:

// N/A

android/app/build.gradle:

// N/A

android/settings.gradle:

// N/A

MainApplication.java:

// N/A

AndroidManifest.xml:

<!-- N/A -->

Environment

Click To Expand

react-native info output:

 OUTPUT GOES HERE
  • Platform that you're experiencing the issue on:
    • [ x] iOS
    • [ x] Android
    • iOS but have not tested behavior on Android
    • Android but have not tested behavior on iOS
    • Both
  • react-native-firebase version you're using that has this issue:
    • e.g. 5.4.3
  • Firebase module(s) you're using that has the issue:
    • e.g. Instance ID
  • Are you using TypeScript?
    • Y/N & VERSION

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs Attentionplugin: authenticationFirebase Authenticationtype: enhancementImplements a new Feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions