amir/claude-usage-widget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

v1.6: fix HIGH security vuln — remove plaintext cookie backup

Browse Source 
- Remove KEY_COOKIES_BACKUP plaintext fallback from PreferencesManager
- getCookies() now fails closed (force re-login) if EncryptedSharedPreferences unavailable
- Set android:allowBackup="false" to prevent adb backup extraction of session data
- Add missing gradle-wrapper.jar to repo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Amir Khodak
2026-05-22 18:28:26 +00:00
parent b3b69dd2b2
commit 8d1cf21966
7 changed files with 183 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/build.gradle.kts
+2 -2
View File
@@ -11,8 +11,8 @@ android {
applicationId = "me.khodak.claudeusage"
minSdk = 26
targetSdk = 34
versionCode = 6
versionName = "1.5"
versionCode = 7
versionName = "1.6"
}
signingConfigs {
app/src/main/AndroidManifest.xml
+1 -1
View File
@@ -5,7 +5,7 @@
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<application
android:allowBackup="true"
android:allowBackup="false"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
app/src/main/java/me/khodak/claudeusage/data/PreferencesManager.kt
+2 -8
View File
@@ -27,18 +27,13 @@ class PreferencesManager(context: Context) {
fun saveCookies(cookies: String) {
securePrefs.edit().putString(KEY_COOKIES, cookies).apply()
// Plaintext backup — survives EncryptedSharedPreferences key rotation on reinstall
prefs.edit().putString(KEY_COOKIES_BACKUP, cookies).apply()
}
fun getCookies(): String? =
securePrefs.getString(KEY_COOKIES, null)
?: prefs.getString(KEY_COOKIES_BACKUP, null)
fun getCookies(): String? = securePrefs.getString(KEY_COOKIES, null)
fun clearSession() {
securePrefs.edit().clear().apply()
prefs.edit().remove(KEY_ORG_ID).remove(KEY_SESSION_START)
.remove(KEY_COOKIES_BACKUP).apply()
prefs.edit().remove(KEY_ORG_ID).remove(KEY_SESSION_START).apply()
}
fun saveOrgId(id: String) = prefs.edit().putString(KEY_ORG_ID, id).apply()
@@ -84,7 +79,6 @@ class PreferencesManager(context: Context) {
companion object {
private const val KEY_COOKIES = "session_cookies"
private const val KEY_COOKIES_BACKUP = "session_cookies_backup"
private const val KEY_ORG_ID = "org_id"
private const val KEY_SESSION_START = "session_start"
private const val KEY_USAGE_DATA = "usage_data"