Polar Flow Android 5.7.1 Secret Disclosure

# Trovent Security Advisory 2110-01 ######################################Insecure data storage in Polar Flow Android application#######################################################Overview########Advisory ID: TRSA-2110-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2110-01Affected product: Polar Flow Android mobile application (fi.polar.polarflow)Affected version: 5.7.1Vendor: Polar Electro, https://flow.polar.comCredits: Trovent Security GmbH, Karima HebbalDetailed description####################The Polar Flow app is a sports, fitness and activity analyzer which allows to planand monitor training, daily activity and sleep.Trovent Security GmbH discovered that the application stores the username andpassword in clear text in a file on the mobile device.Severity: MediumCVSS Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)CVE ID: N/ACWE ID: CWE-312Proof of concept################Content of the file /data/data/fi.polar.polarflow/shared_prefs/UserData3.xml:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<?xml version='1.0' encoding='utf-8' standalone='yes' ?><map>    <string name="current_device_id">no_device</string>    <int name="last_version_code" value="5070103" />    <string name="base_url">https://www.polarremote.com/v2/users/54871065</string>    <string name="last_name">Ptest</string>    <int name="key_initial_view_resource_id" value="2131363187" />    <boolean name="valid_ver_two" value="true" />    <long name="problem_phone_message_time" value="1634888249727" />    <boolean name="new_blogs_available" value="true" />    <string name="address_json">{"city":"\u003cscript\u003ealert(1)\u003c/script\u003e","countryCode":"DE","modified":"2021-10-22T07:37:53.000Z"}</string>    <string name="profile_json">{"favoriteSports":[]}</string>    <string name="password">Test2021</string>    <string name="last_blog_sync_time">2021-10-22T09:37:18.309</string>    <long name="user_id" value="54871065" />    <boolean name="initial_remote_sync_executed" value="true" />    <string name="preferred_blog_language">en</string>    <int name="key_training_diary_tab" value="0" />    <string name="first_name">Ptest</string>    <int name="should_show_problem_phone_message" value="2" />    <string name="username">ptesttest11@gmail.com</string></map>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################We recommend not to store sensitive information in clear text on the mobiledevice.Fixed in version 6.3.0, verified by Trovent.History#######2021-10-18: Vulnerability found2021-12-15: Vendor contacted2022-01-20: Contacted vendor again2022-01-21: Vendor replied that the vulnerability will be checked2022-01-28: Vendor replied, the vulnerability will be fixed in a future update2022-07-27: Vendor contacted, asking for status2022-08-09: Vendor replied, the vulnerability is fixed since version 6.3.02022-08-17: Trovent verified remediation of the vulnerability2022-08-18: Advisory published