PTKDMobile App Security
Knowledge base / PTKD-DYN-STORAGE-SECRET
high M9 MASVS-STORAGE-1 dynamic analysis PTKD-DYN-STORAGE-SECRET

Secret written to device storage

A credential was found in a file the app wrote (shared-prefs / database / cache), readable on a rooted or backed-up device.

How it's exploited

A secret (token, key, password) was written to app storage in plaintext during the run. Backups, run-as on debuggable builds, and any local-file bug turn that file into a credential dump.

Why it matters

Persisted credentials outlive the session and leak through every local-storage channel.

How to fix it

  1. Store secrets in Keystore-backed EncryptedSharedPreferences (Android) or the Keychain (iOS).
  2. Delete the plaintext copies on upgrade and shorten token lifetimes so leaked ones age out.
Android: EncryptedSharedPreferences
val prefs = EncryptedSharedPreferences.create(context, "secure",
  MasterKey.Builder(context).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build(),
  EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
  EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM)

References