Summary
Six medium-severity security vulnerabilities discovered during automated deep check on 2026-04-10. These are new findings not covered by existing issues.
1. Auth Token Stored in Unencrypted Capacitor Preferences
Files:
src/app/shared/dia-backend/auth/dia-backend-auth.service.ts lines 446-448src/app/shared/preference-manager/preferences/capacitor-storage-preferences/capacitor-storage-preferences.ts lines 127-132
The DIA backend auth token is stored in Capacitor.Preferences which maps to unencrypted SharedPreferences (Android) / UserDefaults (iOS). Distinct from #3372 (Ethereum private key) — this is the session token used as authorization: token ${token} for all backend requests.
Impact: On rooted/jailbroken devices, attacker can extract the auth token and fully impersonate the user.
Fix: Use EncryptedSharedPreferences (Android) / Keychain (iOS) via a secure storage plugin.
2. GoPro WiFi/BLE Credentials in Plaintext
File: src/app/features/settings/go-pro/services/go-pro-bluetooth.service.ts lines 147-152
BLE ScanResult data (including device identifiers) is serialized and persisted in unencrypted Capacitor Preferences.
Fix: Use encrypted storage for device details. Clear WiFi credentials from memory after use.
3. Unsafe bypassSecurityTrustUrl on User-Controlled Route Param
File: src/app/shared/media/media-viewer/media-viewer.page.ts lines 14-18
The media-viewer/:src route takes the src param and passes it directly to bypassSecurityTrustUrl(), then binds it to <img> and <video> elements. Distinct from #3382 (SafeResourceUrlPipe for iframes). Route lacks AuthGuard, making it exploitable via deep links.
Fix: Validate src against allowlisted schemes (blob:, https:). Add AuthGuard.
4. No HTTP Interceptor for Authentication or Error Handling
Files: src/app/shared/shared.module.ts, src/app/app.module.ts — no HTTP_INTERCEPTORS configured.
Zero interceptors means no centralized auth header injection, no automatic 401 handling/token refresh (JWT expires in 5 min per line 411), and no certificate pinning.
Impact: Inconsistent security enforcement. Some services forget auth headers (Bubble API). No session expiry on 401.
Fix: Implement HttpInterceptor for auth headers, 401 redirect, token refresh, and optional cert pinning.
5. Social Auth Initialization Race Condition
File: src/app/shared/social-auth/social-auth.service.ts lines 30-51
Concurrent calls to ensureInitialized$() can return before SocialLogin.initialize() completes. The initializing boolean guard returns immediately instead of awaiting the in-flight initialization.
Fix: Store the initialization promise and let concurrent callers await it.
6. Hardcoded Apple App Store ID in Analytics Config
File: src/app/shared/apps-flyer/apps-flyer.service.ts line 15
App Store ID 1536388009 is hardcoded alongside analytics configuration. Aids reconnaissance for targeted attribution fraud.
Fix: Move to environment configuration alongside other secrets.
Additional: 69 npm Vulnerabilities (43 HIGH)
Key vulnerable packages beyond Angular:
lodash / lodash-es: Prototype Pollution, Code Injection via _.templatenode-forge: Signature forgery (Ed25519, RSA-PKCS), DoS via BigInteger.modInverse()flatted: Unbounded recursion DoS, Prototype Pollution via parse()tar: Multiple path traversal and symlink poisoning CVEsserialize-javascript: RCE via RegExp.flags and CPU exhaustion DoSsocket.io-parser: Unbounded binary attachmentspath-to-regexp: ReDoS@xmldom/xmldom: XML injection via CDATA serialization
Fix: Run npm audit fix and manually update major-version-bumped packages.
Generated by Heart Beat with Omni
Summary
Six medium-severity security vulnerabilities discovered during automated deep check on 2026-04-10. These are new findings not covered by existing issues.
1. Auth Token Stored in Unencrypted Capacitor Preferences
Files:
src/app/shared/dia-backend/auth/dia-backend-auth.service.tslines 446-448src/app/shared/preference-manager/preferences/capacitor-storage-preferences/capacitor-storage-preferences.tslines 127-132The DIA backend auth token is stored in
Capacitor.Preferenceswhich maps to unencryptedSharedPreferences(Android) /UserDefaults(iOS). Distinct from #3372 (Ethereum private key) — this is the session token used asauthorization: token ${token}for all backend requests.Impact: On rooted/jailbroken devices, attacker can extract the auth token and fully impersonate the user.
Fix: Use
EncryptedSharedPreferences(Android) / Keychain (iOS) via a secure storage plugin.2. GoPro WiFi/BLE Credentials in Plaintext
File:
src/app/features/settings/go-pro/services/go-pro-bluetooth.service.tslines 147-152BLE
ScanResultdata (including device identifiers) is serialized and persisted in unencrypted Capacitor Preferences.Fix: Use encrypted storage for device details. Clear WiFi credentials from memory after use.
3. Unsafe
bypassSecurityTrustUrlon User-Controlled Route ParamFile:
src/app/shared/media/media-viewer/media-viewer.page.tslines 14-18The
media-viewer/:srcroute takes thesrcparam and passes it directly tobypassSecurityTrustUrl(), then binds it to<img>and<video>elements. Distinct from #3382 (SafeResourceUrlPipe for iframes). Route lacks AuthGuard, making it exploitable via deep links.Fix: Validate
srcagainst allowlisted schemes (blob:,https:). Add AuthGuard.4. No HTTP Interceptor for Authentication or Error Handling
Files:
src/app/shared/shared.module.ts,src/app/app.module.ts— noHTTP_INTERCEPTORSconfigured.Zero interceptors means no centralized auth header injection, no automatic 401 handling/token refresh (JWT expires in 5 min per line 411), and no certificate pinning.
Impact: Inconsistent security enforcement. Some services forget auth headers (Bubble API). No session expiry on 401.
Fix: Implement
HttpInterceptorfor auth headers, 401 redirect, token refresh, and optional cert pinning.5. Social Auth Initialization Race Condition
File:
src/app/shared/social-auth/social-auth.service.tslines 30-51Concurrent calls to
ensureInitialized$()can return beforeSocialLogin.initialize()completes. Theinitializingboolean guard returns immediately instead of awaiting the in-flight initialization.Fix: Store the initialization promise and let concurrent callers await it.
6. Hardcoded Apple App Store ID in Analytics Config
File:
src/app/shared/apps-flyer/apps-flyer.service.tsline 15App Store ID
1536388009is hardcoded alongside analytics configuration. Aids reconnaissance for targeted attribution fraud.Fix: Move to environment configuration alongside other secrets.
Additional: 69 npm Vulnerabilities (43 HIGH)
Key vulnerable packages beyond Angular:
lodash/lodash-es: Prototype Pollution, Code Injection via_.templatenode-forge: Signature forgery (Ed25519, RSA-PKCS), DoS viaBigInteger.modInverse()flatted: Unbounded recursion DoS, Prototype Pollution viaparse()tar: Multiple path traversal and symlink poisoning CVEsserialize-javascript: RCE viaRegExp.flagsand CPU exhaustion DoSsocket.io-parser: Unbounded binary attachmentspath-to-regexp: ReDoS@xmldom/xmldom: XML injection via CDATA serializationFix: Run
npm audit fixand manually update major-version-bumped packages.Generated by Heart Beat with Omni