Exposure of Pre-signed AWS Credentials in Local Cache Metadata #132
Description
A security audit of our application's local storage revealed that the UXCam SDK caches transient upload metadata in plaintext within the application's data directory.
Identified Sensitive Data:
Local cache files contain pre-signed AWS S3 URLs used for session uploads.
These URLs include active transient credentials (X-Amz-Credential, X-Amz-Date, and X-Amz-Signature).
Impact: While the credentials are time-limited, their presence in plaintext on the device filesystem provides an attack surface for intercepting session recordings or metadata during the upload window.
### Requested Resolution: Implement encryption for the SDK's local metadata and cache manager. Specifically, use a hardware-backed encryption key to protect session metadata files and transient credentials stored at rest.