Dart File Storage Of Sensitive Data
Description
Detects when sensitive user data is written to local files or streams in Dart applications. This is a security risk because storing sensitive information in local files can expose user data to unauthorized access if the storage location is not properly secured or if the device is compromised.
Detection Strategy
• Checks if the Dart IO library (dart:io) is imported in the source code
• Identifies file writing operations through methods like writeAsString, writeAsBytes or stream write operations
• Verifies if the data being written contains sensitive user information
• Confirms the write operation is targeting a file or stream object opened in write mode
• Reports a vulnerability when sensitive data is being written to local storage
Vulnerable code example
import 'dart:io';
import 'package:shelf/shelf.dart';
void storePassword(Request req) async {
final password = req.body['password'];
final file = File('/storage/password.txt');
await file.writeAsString(password); // Vulnerable: Storing password in plaintext file
}✅ Secure code example
import 'dart:io';
import 'dart:convert';
import 'package:shelf/shelf.dart';
import 'package:cryptography/cryptography.dart';
Future<void> storePassword(Request req) async {
final password = req.body['password'];
if (password == null) return;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.