AliasVault App Backup Vulnerability in Shared Preferences File

A vulnerability exists in the AliasVault App for both Android and iOS, specifically in versions up to 0.25.3. The issue arises from the app's backup handler, which improperly includes sensitive data stored in plaintext within the shared_prefs/aliasvault.xml file. This file contains access tokens, refresh tokens, metadata, key derivation parameters, and authentication methods. While the app's zero-knowledge encryption design means these tokens cannot independently decrypt vault contents, their inclusion in backups poses a risk of credential compromise. The vulnerability requires local exploitation and has a high complexity level.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive authentication and cryptographic data, stored in plaintext within the aliasvault.xml file. This data is included in cloud backups and device transfer, creating a risk of credential and session compromise.

Reproduction

To reproduce this vulnerability, install the AliasVault app and sign in to generate access and refresh tokens. Then, check the app's backup settings in the AndroidManifest.xml file, which will indicate that backups are enabled. After confirming that the backup rules exclude only the credential_identities.xml file, review the aliasvault.xml file in the shared_prefs directory. The unexcluded tokens and metadata can be observed, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to AliasVault version 0.26.0, which disables backups for the app's data on both Android and iOS. Instructions for updating are available in the AliasVault update guides.