[firebase_auth] Sensitive data stored in com.google.android.gms.signin.xml and com.google.firebase.auth.api.Store.* on Android – No option to disable persistence

[Navarrow0]

Issue Summary

When using firebase_auth on Android, sensitive user information (email, UID, tokens) is automatically stored in:

• /data/data/<app-id>/shared_prefs/com.google.android.gms.signin.xml
• /data/data/<app-id>/shared_prefs/com.google.firebase.auth.api.Store.[...]

This happens even when we don't explicitly enable persistence, and there’s no documented way to disable it via the Flutter SDK.

Why is this a concern?

• During a pentest on a rooted device, we observed that these files expose sensitive data.
• The use case requires disabling persistence entirely after login or using "ephemeral auth" (e.g., one-time sign in).
• Setting FirebaseAuth.instance.setPersistence(Persistence.NONE) only works on web platforms. It has no effect on Android/iOS.

Steps to Reproduce

1. Sign in a user using firebase_auth on Android (e.g., with Google or email/password).
2. Explore the device’s /data/data/<app-id>/shared_prefs/ directory on a rooted device.
3. Observe the .xml files containing user data and session tokens.

What we expect

• A way to disable persistence explicitly on Android/iOS (like setPersistence(Persistence.NONE) does on Web).
• Alternatively, a documented option to clear or encrypt these files.

References

• Stack Overflow thread asking about this