Mysterious file PersistedInstallation.XXXX.json in android contains an authentication token. What for?

  1. SDK Version: 39
  2. Platforms(Android/iOS/web/all): Android
  3. Add the appropriate “Tag” based on what Expo library you have a question on.

Hello!

We have an Expo app using the managed workflow that we distribute for Android. Looking at the files inside the application directory we found a json which contains an authentication token. It seems to be created by Expo itself but we can’t find anything about it on the documentation.

We’d like to understand what the impact is if it is leaked and what is it used for.

File location on android:
data/data/(com.app.myapp)/files/PersistedInstallation.(XX-some-random-ID-XX).json

Contents:

{ 
"fid": "some ID different to the file",
"AuthToken": "A JWT token with 'fid', 'projectNumber', 'appId', 'exp' fields in the payload"
... (other fields for token validity)
}

Do you know what this file is for?

Thank you!

This file is used by the native android firebase SDK- firebase-android-sdk/PersistedInstallation.java at master · firebase/firebase-android-sdk · GitHub

Hello, this file was also brought to our attention.

Is there any way we can encrypt it or obfuscate it? If not, is there any impact in case it is leaked?
We also found googleServicesFile json inside the sell-app-manifest.json which I believe is also used by firebase sdk. Inside this googleServicesFile there is a “current_key” field. Is this key sensitive information? And is there any way to obfuscate it?

Thank you in advance!

This works really well for us, thank you!