Description

Detects when sensitive data like passwords, tokens or personal information is stored insecurely in SQLite databases within Dart applications. This creates security risks as sensitive data stored without encryption or proper protection could be exposed if the device is compromised.

Detection Strategy

• Check if the Dart application imports the 'sqflite' package for SQLite database operations

• Look for database write operations that store data (like insert or update calls)

• Analyze if the stored data contains sensitive information like passwords, tokens, or personal data

• Flag cases where sensitive data is stored without proper encryption or protection mechanisms

Vulnerable code example

import 'package:sqflite/sqflite.dart';
import 'package:shelf/shelf.dart';

class DatabaseService {
  late Database db;

  Future<void> storeCredentials(Request req) async {
    String? password = req.url.queryParameters['password'];...

✅ Secure code example

import 'package:sqflite/sqflite.dart';
import 'package:shelf/shelf.dart';
import 'package:crypto/crypto.dart';
import 'package:encrypt/encrypt.dart';

class DatabaseService {
  late Database db;
  final encrypter = Encrypter(AES(Key.fromSecureRandom(32))); // Secure encryption key...