Describe your issue
The application stores sensitive credentials such as clientId and encryptionSecret in plain text files inside the local file system (profiles/{profile}/). These files are not encrypted, making the data vulnerable if the device is compromised (e.g., rooted Android or jailbroken iOS).
Although SharedPreferences is used, it only stores the base directory path. The actual issue lies in insecure file storage of sensitive data.
This can lead to unauthorized access, credential leakage, and potential misuse of backend APIs.
Steps to reproduce
Install and run the application
Login or initialize credentials storage
Navigate to the app’s local storage directory
Open the path:
/profiles/{profile}/taskc_client_id
/profiles/{profile}/taskc_client_secret
Observe that credentials are stored in plain text
What was the expected result?
Sensitive credentials should be stored securely using encrypted storage mechanisms such as:
Secure Keychain (iOS)
Android Keystore
Or encrypted storage solutions
Credentials should not be directly readable from the file system.
Put here any screenshots or videos (optional)
No response
How can we contact you (optional)
No response
Would you like to work on this issue?
Yes
By submitting this issue, I have confirmed that:
Describe your issue
The application stores sensitive credentials such as clientId and encryptionSecret in plain text files inside the local file system (profiles/{profile}/). These files are not encrypted, making the data vulnerable if the device is compromised (e.g., rooted Android or jailbroken iOS).
Although SharedPreferences is used, it only stores the base directory path. The actual issue lies in insecure file storage of sensitive data.
This can lead to unauthorized access, credential leakage, and potential misuse of backend APIs.
Steps to reproduce
Install and run the application
Login or initialize credentials storage
Navigate to the app’s local storage directory
Open the path:
/profiles/{profile}/taskc_client_id
/profiles/{profile}/taskc_client_secret
Observe that credentials are stored in plain text
What was the expected result?
Sensitive credentials should be stored securely using encrypted storage mechanisms such as:
Secure Keychain (iOS)
Android Keystore
Or encrypted storage solutions
Credentials should not be directly readable from the file system.
Put here any screenshots or videos (optional)
No response
How can we contact you (optional)
No response
Would you like to work on this issue?
Yes
By submitting this issue, I have confirmed that: