Hello! In our organization, we’ve noticed that some AppSheet creators are not using Security Filters properly. I would like to verify what data is downloaded and stored on the client to ensure that no sensitive information is exposed.
I looked through network logs and local storage but couldn’t find it. Is the data stored as binary?
Not binary but encrypted. AppSheet uses “encryption as rest” technology through Google. The data sitting on the device is encrypted and then decrypted when pulled into the app, encrypted again when pushed back to device storage. All data in transit over the internet is encrypted as well.
If you have SENSITIVE information then you should us the “Sensitive data” setting in AppSheet. This is found in the “Other Properties” section in the column configuration within the AppSheet table. This setting will ensure that the data values do not appear in any AppSheet system controlled areas where values might be exposed such as log files.
I hope this helps!
Thank you for the clarification! In the app, under Security → Options, there is an option to enable “Encrypt device data“ (Encrypt data stored locally on the device (note: encryption is not available on older devices)), which is disabled by default.
Do you know what this does? I thought that if it’s disabled, there won’t be any encryption.
Sorry, I just assumed you were referring to when this option is turned on. Correct…that is the option that determines if device side encryption is used or not.
I guess it should be noted that with this option ON there is a performance hit since the data MUST go through a decryption to be loaded into the app and then an encryption cycle to be stored again. Apps with large data amounts can appear slower when this is turned on.
So, with a LARGE data app, choose to use this option ONLY if needed. With smaller data apps, it’s more of a preference OR criticality to secure the data.
I see.
So in case the encryption is disabled, how/where is the data stored on the client?
There’s no difference in where the data is stored if its encrypted or not. But, in short, I don’t know where on the device that data is stored. That storage area is abstracted away from us App Creators and managed by AppSheet internally.
Yes, I know that. I’m not sure if I’ll be able to get an answer on this forum, but I’m basically trying to “hack” the app and access the local un-encrypted data to ensure that if anyone else tries to do it they won’t find anything interesting 
There is no ”ethical” way to hack the phone data like you are suggesting. Otherwise, every phone app could be compromised. The data storage is proprietary to the apps themselves and is hidden behind barriers controlled by the operating system.
I can tell you this much, the unencrypted data stored for an AppSheet app is exactly the same as that in the datasource. Additionally, any images and files used by the app will potentially be stored on the device as well.
If “Sensitive Data” setting is your concern, I can also add that the setting DOES NOT apply to the data stored on the device. The actual value must be there to surface into the app.
Access your app using a browser, then use the browser’s developer tools.
You can see the app data that way? That doesn’t seem very secure.
It’s not, which is why encryption and security filters are so important.