We are using the package-name React Native SDK (CredentialManager) in our Android app to persist authentication data. During a recent security assessment, it was found that authentication data and its encryption material are being stored together in the same SharedPreferences XML file located in the app’s private storage in plain text. Specifically, the file contains a base64-encoded credential blob under the key com.packagename.credentials, expiry timestamps (com.packagename.credentials_expires_at, com.packagename.credentials_access_token_expires_at), a symmetric encryption key (com.packagename.key), the corresponding initialization vector (com.packagename.key_iv), and a refresh capability flag. The concern is that co-locating the encrypted credentials with their decryption key and IV in the same file could allow an attacker with file system access to decrypt and misuse the credentials. Could you please clarify if this behavior is expected in the current React Native SDK implementation? What measures are in place to protect these keys and credentials at rest? Are there recommended configuration changes or SDK updates to improve security here? For example, could these values be stored using Android’s EncryptedSharedPreferences or other Keystore-backed secure storage mechanisms to mitigate this risk? Any guidance on addressing this vulnerability in production apps would be greatly appreciated.