Dart Insecure Data Storage
Description
Detects when sensitive data (like credentials, tokens, or keys) is stored insecurely using Flutter's SharedPreferences.setString() method. This is risky because SharedPreferences stores data in plaintext on the device, making sensitive information accessible to attackers who gain access to the device storage.
Detection Strategy
• Identifies calls to SharedPreferences.setString() method in Flutter/Dart code
• Examines the arguments passed to setString() to check if they contain hardcoded sensitive data like passwords, API keys, or tokens
• Reports a vulnerability when sensitive information is being stored directly in SharedPreferences without encryption or secure storage methods
Vulnerable code example
import 'package:shared_preferences/shared_preferences.dart';
Future<void> storeCredentials() async {
final prefs = await SharedPreferences.getInstance();
String apiKey = 'sk_live_123456789abcdef'; // Sensitive data should not be stored in SharedPreferences
await prefs.setString('api_key', apiKey); // Vulnerable: stores secret in plaintext
}✅ Secure code example
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
Future<void> storeCredentials() async {
final secureStorage = FlutterSecureStorage(); // Use secure storage for sensitive data
String apiKey = 'sk_live_123456789abcdef';
await secureStorage.write(key: 'api_key', value: apiKey); // Safely encrypts data before storage
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.