Is it safe to put sensitive information (e.g. credentials) in application bundle?

mcinner1 said:

Just out of curiosity (I have no watch): there are many programs which enable to make hidden folders visible. Do you mean such kind of hidden folders?

TL;DR the part of your watch where the music PRGs go is more than "hidden", it's completely inaccessible to the end user (via USB), as far as I know. I'd prefer the term inaccessible storage (or something similar).

This is why I don't like the use of the term "hidden" here, although I'm really swimming against the tide here. Stuff on Garmin devices that's "hidden" isn't hidden in the sense of a hidden/protected/system Windows folder, or even a folder where certain users don't have rights to access it. In all of those other cases, data is only "hidden" or even inaccessible because the OS that's accessing it agrees to hide it or to deny access. That's why there's forensic software that can access data which is either "hidden" or has permissions that would normally make it impossible for you to access.

Even before PRGs were moved to inaccessible storage, Garmin devices always had this concept of "stuff you can't access". For example, certain settings, wi-fi passwords and bluetooth sensor pairing were always located in inaccessible storage (and only in inaccessible storage). This becomes obvious when you change any of that stuff, yet there's no corresponding change in any file in user-accessible storage.

There's also the concept of data that goes in both places: user-accessible storage and user-inaccessible storage. For example, if you set up a custom interval workout on the watch itself, you'll see that it's saved in a certain FIT file. If you delete that FIT file, you'll see that the same workout comes back, even though you deleted the file, which indicates there was a "shadow copy" of the file in user-inaccessible (writable) storage. The same might apply to activity profiles (sports settings) and other types of settings. If you delete the corresponding FIT file for a certain setting, the setting comes back (without loss of data).

EDIT: I'm sure Garmin knows how to access "hidden" data on Garmin devices, but I assume they need either special hardware and/or special software to do so. I imagine that at the very least, they would have custom firmware that would expose "hidden" storage to be read and written. If such firmware doesn't exist, they could surely create it at any time.

IOW I would assume Garmin can read anything on your watch (obviously).

Furthermore, all devices which support music (which is most or all new Garmin watches) use MTP to access files on the watch, as opposed to non-music devices which expose the raw file system (FAT iirc) via USB mass storage.

So even if there were hypothetically a way to access the "hidden" (or inaccessible) part of storage via a forensic tool, it would be impossible (*) to do so on music devices, as MTP doesn't expose the raw file system, it's a file transfer protocol which abstracts away the FS.

(* impossible for ordinary users, probably possible for Garmin)

Anyway, consider that the current situation is "good enough" for Spotify.

flocsy🤠 said:

If I was a bad guy I would 1st install the app on my old watch :) if possible, then try to find my way to download any prg from the store..

Yeah, I mean if an app isn't available for older devices, or it's a type of app that's always been hidden (music provider), then the first thing I would try to do would be to download it through an SSL proxy, if possible. Once you have the PRG, you can run it on any Garmin device you want (within reason) and/or analyze it on a computer.

If the app is available for old watches (such that the PRG is exposed to the end user), then it's already game over.

Thank you, FlowState , for your explanations!