FastHub Version: v5 Debug
Android Version: API 29
Device Information:
MANUFACTURER: Motorola
BRAND: Moto G
MODEL: Moto G6 Play
Once users log-in into the app, their GitHub credentials are stored in the local SQLite database for further use in the queries to the GitHub´s api. This token is always appended to the intercepted API calls. However, one might believe that this sensitive user information will be deleted when the user decides to log out, however it isn´t.
The following code shows that when the user logs-out the only change made to the database is that the "isLoggedIn" attribute if updated to 0.
This is a major privacy issue because it stores the token off all the users that log-in in the device, meaning that if someone later has access to the phone it may still the tokens by copying the data base in a computer and using the SQLite CLI as follows:
FastHub Version: v5 Debug Android Version: API 29 Device Information:
MODEL: Moto G6 Play
Once users log-in into the app, their GitHub credentials are stored in the local SQLite database for further use in the queries to the GitHub´s api. This token is always appended to the intercepted API calls. However, one might believe that this sensitive user information will be deleted when the user decides to log out, however it isn´t. The following code shows that when the user logs-out the only change made to the database is that the "isLoggedIn" attribute if updated to 0. This is a major privacy issue because it stores the token off all the users that log-in in the device, meaning that if someone later has access to the phone it may still the tokens by copying the data base in a computer and using the SQLite CLI as follows: