Build environment: macOS
Moddable SDK version: 7.2.1
Target device: Pebble
Description
Key-value storage is not isolated between apps. An untrusted installed app can read and write storage belonging to another app by using the same path and key. This should be disallowed for untrusted (installed) apps, and only permitted for trusted system built-in apps.
Steps to Reproduce
- Install any app that writes a value to key-value storage (e.g.
path=test, key=count)
- Install a second, separate app that reads from the same
path and key
- The second app successfully reads the value written by the first app
Expected behavior
Each app's storage should be sandboxed and inaccessible to other apps. An untrusted app should not be able to read or write another app's key-value storage entries.
Images
https://github.com/user-attachments/assets/53cf4d1f-e2d5-4f20-b3a6-c471ff508f54
Other information
The current implementation does not enforce storage isolation. Trusted system built-in apps sharing storage may be intentional in the future, but untrusted installed apps should never have cross-app storage access.
Build environment: macOS
Moddable SDK version: 7.2.1
Target device: Pebble
Description
Key-value storage is not isolated between apps. An untrusted installed app can read and write storage belonging to another app by using the same path and key. This should be disallowed for untrusted (installed) apps, and only permitted for trusted system built-in apps.
Steps to Reproduce
path=test, key=count)pathandkeyExpected behavior
Each app's storage should be sandboxed and inaccessible to other apps. An untrusted app should not be able to read or write another app's key-value storage entries.
Images
https://github.com/user-attachments/assets/53cf4d1f-e2d5-4f20-b3a6-c471ff508f54
Other information
The current implementation does not enforce storage isolation. Trusted system built-in apps sharing storage may be intentional in the future, but untrusted installed apps should never have cross-app storage access.