🐛 [firebase_messaging] Pentest finding - Push notifications persisted in plain text on Android

[wederchr]

Bug report

When pentesting our Flutter app a finding was reported that the Android app stores all push notifications including the full payload in plain text on the file system at <appId>/shared_prefs/io.flutter.plugins.firebase.messaging.xml. Checking the plugin code I can see that all push notifications are passed through the FlutterFirebaseMessagingReceiver so that the FlutterFirebaseMessagingStore can store the 20 most recent using SharedPreferences. I can also see that they are only removed from storage when FlutterFirebaseMessagingPlugin::getInitialMessage is called, cannot find a message in memory and has to retrieve it from the persisted store (which seems to happen rarely).

Steps to reproduce

Steps to reproduce the behavior:

1. Start the application in debug mode on an Android device/ emulator.
2. Send a push notification using the floating action button on the bottom right of the app.
3. Execute adb shell run-as io.flutter.plugins.firebase.messaging.example cat shared_prefs/io.flutter.plugins.firebase.messaging.xml to see the contents of the persisted messaging store.

Expected behavior

I'm not sure about the best solution to remediate this issue but I see a couple of possibilities:

• Clear the message store when the app terminates and/ or pauses.
• Provide an API to clear the persisted store
• Provide an API to disable the persisted store (not sure about the impact of this, though)

Sample project

See the example app of the firebase_messaging plugin.

Flutter doctor

Run flutter doctor and paste the output below:

Click To Expand

Doctor summary (to see all details, run flutter doctor -v):
[✓] Flutter (Channel stable, 2.5.3, on macOS 11.6 20G165 darwin-x64, locale en-CH)
[✓] Android toolchain - develop for Android devices (Android SDK version 31.0.0-rc5)
[✓] Xcode - develop for iOS and macOS
[✓] Chrome - develop for the web
[✓] Android Studio (version 2020.3)
[✓] VS Code (version 1.62.3)
[✓] Connected device (2 available)

• No issues found!

---

Flutter dependencies

Run flutter pub deps -- --style=compact and paste the output below:

Click To Expand

Dart SDK 2.14.4
Flutter SDK 2.5.3
firebase_messaging_example 0.0.0

dependencies:
- firebase_core 1.10.0 [firebase_core_platform_interface firebase_core_web flutter meta]
- firebase_messaging 11.1.0 [firebase_core firebase_core_platform_interface firebase_messaging_platform_interface firebase_messaging_web flutter meta]
- flutter 0.0.0 [characters collection meta typed_data vector_math sky_engine]
- flutter_local_notifications 8.2.0 [flutter flutter_local_notifications_platform_interface platform timezone]
- http 0.13.4 [async http_parser meta path]

dev dependencies:
- drive 1.0.0-1.0.nullsafety.1 [test_api flutter_test flutter_driver stack_trace flutter]
- flutter_driver 0.0.0 [file flutter flutter_test fuchsia_remote_debug_protocol path meta vm_service webdriver archive async boolean_selector characters charcode clock collection crypto matcher platform process source_span stack_trace stream_channel string_scanner sync_http term_glyph test_api typed_data vector_math]
- test 1.17.10 [analyzer async boolean_selector collection coverage http_multi_server io js node_preamble package_config path pedantic pool shelf shelf_packages_handler shelf_static shelf_web_socket source_span stack_trace stream_channel typed_data web_socket_channel webkit_inspection_protocol yaml test_api test_core]

dependency overrides:
- firebase_core 1.10.0 [firebase_core_platform_interface firebase_core_web flutter meta]
- firebase_core_platform_interface 4.1.0 [collection flutter meta plugin_platform_interface]
- firebase_core_web 1.2.0 [firebase_core_platform_interface flutter flutter_web_plugins js meta]
- firebase_messaging 11.1.0 [firebase_core firebase_core_platform_interface firebase_messaging_platform_interface firebase_messaging_web flutter meta]
- firebase_messaging_platform_interface 3.0.9 [firebase_core flutter meta plugin_platform_interface]
- firebase_messaging_web 2.1.0 [firebase_core firebase_core_web firebase_messaging_platform_interface flutter flutter_web_plugins js meta]
- plugin_platform_interface 2.0.2 [meta]

transitive dependencies:
- _fe_analyzer_shared 31.0.0 [meta]
- analyzer 2.8.0 [_fe_analyzer_shared cli_util collection convert crypto glob meta package_config path pub_semver source_span watcher yaml]
- archive 3.1.2 [crypto path]
- args 2.3.0
- async 2.8.1 [collection meta]
- boolean_selector 2.1.0 [source_span string_scanner]
- characters 1.1.0
- charcode 1.3.1
- cli_util 0.3.5 [meta path]
- clock 1.1.0
- collection 1.15.0
- convert 3.0.1 [typed_data]
- coverage 1.0.3 [args logging package_config path source_maps stack_trace vm_service]
- crypto 3.0.1 [collection typed_data]
- fake_async 1.2.0 [clock collection]
- file 6.1.2 [meta path]
- flutter_local_notifications_platform_interface 4.0.1 [flutter plugin_platform_interface]
- flutter_test 0.0.0 [flutter test_api path fake_async clock stack_trace vector_math async boolean_selector characters charcode collection matcher meta source_span stream_channel string_scanner term_glyph typed_data]
- flutter_web_plugins 0.0.0 [flutter js characters collection meta typed_data vector_math]
- frontend_server_client 2.1.2 [async path]
- fuchsia_remote_debug_protocol 0.0.0 [process vm_service file meta path platform]
- glob 2.0.2 [async collection file path string_scanner]
- http_multi_server 3.0.1 [async]
- http_parser 4.0.0 [charcode collection source_span string_scanner typed_data]
- io 1.0.3 [meta path string_scanner]
- js 0.6.3
- logging 1.0.2
- matcher 0.12.10 [stack_trace]
- meta 1.7.0
- mime 1.0.1
- node_preamble 2.0.1
- package_config 2.0.2 [path]
- path 1.8.0
- pedantic 1.11.1
- platform 3.0.0
- pool 1.5.0 [async stack_trace]
- process 4.2.3 [file path platform]
- pub_semver 2.1.0 [collection meta]
- shelf 1.2.0 [async collection http_parser path stack_trace stream_channel]
- shelf_packages_handler 3.0.0 [path shelf shelf_static]
- shelf_static 1.1.0 [convert http_parser mime path shelf]
- shelf_web_socket 1.0.1 [shelf stream_channel web_socket_channel]
- sky_engine 0.0.99
- source_map_stack_trace 2.1.0 [path stack_trace source_maps]
- source_maps 0.10.10 [source_span]
- source_span 1.8.1 [collection path term_glyph]
- stack_trace 1.10.0 [path]
- stream_channel 2.1.0 [async]
- string_scanner 1.1.0 [charcode source_span]
- sync_http 0.3.0
- term_glyph 1.2.0
- test_api 0.4.2 [async boolean_selector collection meta source_span stack_trace stream_channel string_scanner term_glyph matcher]
- test_core 0.4.0 [analyzer async args boolean_selector collection coverage frontend_server_client glob io meta package_config path pedantic pool source_map_stack_trace source_maps source_span stack_trace stream_channel vm_service yaml matcher test_api]
- timezone 0.8.0 [path]
- typed_data 1.3.0 [collection]
- vector_math 2.1.0
- vm_service 7.1.1
- watcher 1.0.1 [async path]
- web_socket_channel 2.1.0 [async crypto stream_channel]
- webdriver 3.0.0 [archive matcher path stack_trace sync_http]
- webkit_inspection_protocol 1.0.0 [logging]
- yaml 3.1.0 [collection source_span string_scanner]

---