connected_gateway.json file is accessible

[abhaykr1234]

connected_gateway.json is getting created temporarily in the device storage which contains all the information related to client id, client secret, and the endpoints. I found that it is being created in ConfigurationManager.java file.

Is there any way to hide this json file or the contents of the json file?

[Ruqiya-Kaladgi]

Hi Abhay,
Sorry for the late reply, somehow missed to get notified when the issue was logged.
This file will be internal to the application. Unless rooted you should not be able to access it.

Thanks,
Ruqiya

[abhaykr1234]

Hi Ruqiya,

We are able to read the file even if we connect the android device in adb mode.

[Ruqiya-Kaladgi]

Thanks Abhay for the quick replay.
I would like to confirm, you are saying that the file is accessible on a physical device which is not rooted?
I tried on an emulator, could not read it unless I started it in rooted mode.

Let me try on one or more devices meanwhile. Ideally on a non rooted device/emulator it should not be accessible.

[abhaykr1234]

Hi Ruqiya,

After we login, the file "connected_gateway.json" is created. Then we root the device. Now, without opening the app again, we are able to access the "/data/data/com.your.packagename/" directory and read the file.

So, yes, the file is accessible on rooted devices only. But the file discloses a lot of information related to client id, client secret, and the endpoints.

[Ruqiya-Kaladgi]

Hi Abhay,
On a rooted device anything is possible, we cannot have a control over it. But yes, in your App you should be checking if the device is rooted, or running on emulator etc at the very beginning. This can avoid file itself getting created.

[patrickpaulin]

@Ruqiya-Kaladgi,

Normally the "malicious users" will run your application as a normal user. In another moment, they will change the device configs and easily get access to all of your sensible data inside connected_gateway.json. Bearing in mind the "malicious user" doesn't even have to open your application twice to get theses sensible data. Whatever if your application checks rooted devices. it doesn't seem safe

@abhaykr1234

In ConfigurationManager.java

First of all change the getInstance() method:

public static synchronized ConfigurationManager getInstance() {
    if (instance == null) {
        instance = new ConfigurationManager();
    }
    return instance;
}

You can change load() method:

private void load() {
    if (this.connectedGatewayConfigurationProvider == null) {
        activateDefault();
    }
}

You also have to change activateDefault() and get only jsonConfiguration instance. Thinking in security stuff, if the connected_gateway.json is a problem for you, probably the msso_config.json is too.

So, in this case you have to pass msso_config.json as parameter from one of the initializers MAS.start(decode("mssoEncrypted.json"))...

public void activateDefault() {
    JSONObject jsonObject =  this.jsonConfiguration;
    activate(jsonObject);
}

Finally you can just remove store() from activate method:

public void activate(JSONObject jsonObject) {
    try {
        this.connectedGatewayConfigurationProvider = create(jsonObject);
        Context appContext = this.appContext;
        if (DEBUG) Log.d(TAG,
                String.format("Activate configuration: %s", jsonObject.toString(4)));
        for (ConfigurationListener c : configurationListeners) {
            c.onUpdated(appContext, connectedGatewayConfigurationProvider);
        }
    } catch (JSONException e) {
        throw new MAGRuntimeException(MAGErrorCode.FAILED_JSON_VALIDATION, e);
    }
//    store(jsonObject);
}

Note: I recommend you to check if the MAS version that you are using has the following method in ConfigurationManager class:
setjsonConfig(JSONObject jsonConfig)

public void setJsonConfig(JSONObject jsonConfig) {
    this.jsonConfiguration = jsonConfig;
 }

Hope this helps

Cheers