mogol
FlutterSecureKeyStorage.xml is visible on rooted Android devices even when using encryptedSharedPreferences: true
📝 Description:
While conducting a VAPT (Vulnerability Assessment & Penetration Testing) on our Flutter app, the security team discovered that a file named FlutterSecureKeyStorage.xml is being created and is visible on rooted Android devices. This potentially exposes app metadata and storage structure, even when using:
AndroidOptions(
encryptedSharedPreferences: true,
)
📍 File Location:
/data/data/<package-name>/shared_prefs/FlutterSecureKeyStorage.xml
Even though contents are encrypted, the file name and keys can still be accessed on rooted devices, as shown in the attached screenshot.
📷 Screenshot:
✅ Expected Behavior:
No such file should be visible or should be protected through native Keystore encryption without leaving traces in the shared_prefs directory, especially in high-security environments like banking or finance.
📱 Environment: Plugin: flutter_secure_storage
Flutter version: 3.29.1
Plugin version: 9.2.4
Device: Android (rooted)
Platform: Android 10
🙏 Request:
Please confirm:
- Is this expected behavior?
- Is there any official workaround or best practice to hide/remove this file?
Same here! We've just had a VAPT and found information we thought was securely stored is just plaintext viewable on a rooted device.
⚠️ This issue has been marked as stale because it has been open for 60 days with no activity.
If this issue is still relevant, please comment to keep it active. Otherwise, it will be closed in 60 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is intended behaviour and it is secure. As said, the contents are encrypted. This is actually how Android shared preferences works. It stores key value pairs in an xml. This package encrypts those values. The key to decrypting this data is stored in the Keystore, which cannot be accessed.
