Add the appropriate “Tag” based on what Expo library you have a question on.
Hello!
We have an Expo app using the managed workflow that we distribute for Android. Looking at the files inside the application directory we found a json which contains an authentication token. It seems to be created by Expo itself but we can’t find anything about it on the documentation.
We’d like to understand what the impact is if it is leaked and what is it used for.
File location on android: data/data/(com.app.myapp)/files/PersistedInstallation.(XX-some-random-ID-XX).json
Contents:
{
"fid": "some ID different to the file",
"AuthToken": "A JWT token with 'fid', 'projectNumber', 'appId', 'exp' fields in the payload"
... (other fields for token validity)
}
Hello, this file was also brought to our attention.
Is there any way we can encrypt it or obfuscate it? If not, is there any impact in case it is leaked?
We also found googleServicesFile json inside the sell-app-manifest.json which I believe is also used by firebase sdk. Inside this googleServicesFile there is a “current_key” field. Is this key sensitive information? And is there any way to obfuscate it?