Dart Get Storage Insecure Data Storage

Description

Identifies unsafe storage of sensitive data using the get_storage package in Dart applications. When sensitive information is stored without encryption, it can be accessed by malicious applications or attackers with physical access to the device, potentially leading to data exposure.

Weakness:

275 - Non-encrypted confidential information - Local data

Category: Information Collection

Detection Strategy

• Check if the application imports the 'package:get_storage/get_storage.dart' library

• Look for write operations to GetStorage that store data without encryption

• Report vulnerability when unencrypted sensitive data is written to persistent storage using GetStorage.write() or similar methods

Vulnerable code example

import 'dart:io';
import 'package:get_storage/get_storage.dart';

void storeCredentials(Request request) {
  final storage = GetStorage();
  
  // Insecure: Stores sensitive auth token in plaintext, accessible to anyone with filesystem access
  storage.write('auth_token', request.headers['x-auth-token']);

✅ Secure code example

import 'dart:io';
import 'dart:convert';
import 'package:get_storage/get_storage.dart';
import 'package:encrypt/encrypt.dart' as encrypt;

void storeCredentials(Request request) {
  final storage = GetStorage();
  ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.