I'm currently writing an essay about Android vulnerabilities, and I've came across the insecure data storage vulnerability. I'm pretty new to this topic, an although I have read a lot of posts and articles and saw many videos, one thing keeps me uncertain. If an app suffers from such a vulnerability, e.g. is storing sensitive data in plain text in shared preferences or XML files, can those files be accessed without having the phone rooted/jailbroken? By now I assume they cannot, nonetheless I haven't found any explicit proof that it's true.
I'm sorry for asking maybe a little dumb question, but I appreciate any kind answers or help.
Thank you a lot!
Shared preferences are xml files stored in the app's storage area with permissions to only let the linux level user read/write them. Every app on Android is its own linux level user. So no, short of root or an exploit, it shouldn't be possible to read a shared preference. (Exception- globally read/writable shared preferences used to be possible, if you explicitly used that. But it was never suggested).
That said- you can't assume the user won't root your phone. Or that the OS isn't an AOSP variant that breaks things purposely. So if you wouldn't trust the user with a piece of data, you shouldn't trust shared preferences with it. But it is safe to say another app can't access it without root or a privelidge exploit.