Open
Description
Describe the bug
The Branch SDK is storing the Branch key in plaintext within SharedPreferences, which poses a security risk. This allows potential attackers to easily access the key by examining the app’s data files.
Affected File Path:
com.bundleid.club/shared_prefs/branch_referral_shared_pref.xml
Issue:
• The key is stored without encryption, making it accessible on rooted devices or through reverse engineering.
• Exposure of this key allows unauthorized use of Branch APIs, potentially leading to data leaks or API abuse.
Steps to reproduce
1. Install the app using Branch SDK.
2. Inspect the app’s SharedPreferences directory.
3. Open branch_referral_shared_pref.xml and observe the live key in plaintext.
• SDK Version: 5.12.+
• Platform: Android
Expected behavior
The Branch SDK should store sensitive information using EncryptedSharedPreferences or an equivalent secure storage method.
SDK Version
5.12.+
Make and Model
Android
OS
Android
Additional Information/Context
No response