The plaintext vault backup (used for backup sync) is currently written to the worldid data directory alongside the encrypted vault. Since this file contains unencrypted sensitive data, there would be more defense in depth if it was written to the platform's temporary directory instead. If a client-side bug prevents the caller from deleting the file, the OS will eventually clean it up.
Platform behavior:
- iOS: NSTemporaryDirectory() — OS cleans up periodically and on reboot. Files get NSFileProtectionComplete by default (encrypted at rest when locked).
- Android: Context.getCacheDir() — OS can evict under disk pressure, but doesn't guarantee cleanup on reboot. Still better than the persistent data directory.
The plaintext vault backup (used for backup sync) is currently written to the worldid data directory alongside the encrypted vault. Since this file contains unencrypted sensitive data, there would be more defense in depth if it was written to the platform's temporary directory instead. If a client-side bug prevents the caller from deleting the file, the OS will eventually clean it up.
Platform behavior: