Temporary Internal File Storage risk – #5 DIVA Solution

Android provides option of saving temporary files locally within the device internal memory. Majorly used to save temporary things like error or transaction logs or app activity or error states by developers. Such Temporary files are saved inside app Sandbox directory i.e.  /data/data/AppPackageName/. If properly not processed then these files might contain sensitive information as well.



The video demonstrates DIVA app, that app login information is visible in clear-text from temporary file generated. As mentioned below you can view content of unencrypted Temp file using a rooted physical device / emulator. ( Make sure you fill in the data and save it first, then only Temp. file would be populated )


  • Viewing file directly using ADB 
    With ADB Configured in your laptop/computer, connecting physical device via USB & granting ADB connectivity or emulator works directly. Using below command we can access the temporary file:

Method – 1 View file Directly using ADB


Method – 2 Using Android Monitor – GUI interface which comes by default within Android Studio. Using Android device monitor locate the file via GUI and copy it to local computer, then using any text editor we can view the Temporary file content.

Method – 3 Root File Explorer – There are many Root File Explorer available from Android Play Store, which allows to view files from the device directly.


Although Temporary files saved are protected via Sandbox, yet there are few catch which voids App Sandbox protection mechanism for Temp Files. Easiest is having a Rooted device (with plenty of tweaks motivating millions of users to root devices). With SU (super user) privilege any apps can read files from Sandbox of any other Apps. In case if device is not rooted and if app is installed with AndroidManifest.xml containing debuggable=’true’, still files protected by sandbox can be easily accessed from outside. Or if AndroidManifest.xml contains allowBackup=’true’ then using ADB backup sandbox files can be pulled connecting to a computer (however ADB permission needs to be granted from the phone).

Realizing the above facts its recommended not to save any sensitive information in cleartext within Temporary Files such as user personal details, login credentials, Bank details, credit-debit card details, Tokens, PIN, health data, transactional logs, cookies, etc.


  • Avoiding saving any direct sensitive information within Temp. file. Developers by mistake save important things not realizing their logs might contain sensitive information.
  • Best solution is not to save anything within the apk Sandbox directory in plaintext- either generating it on run time via user input or bringing details making a secure HTTPS call over the internet.
  • Saving passwords only after Salting + Hashing them with strong algo. like SHA2 or Bcrypt
  • Using Android Keystore which allows to store encryption keys safe even on rooted devices, and using these keys to encrypt sensitive data and then save it.

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.