Security: Plaintext storage of authentication Session Tokens

[windoze95]

File: lib/services/storage_service.dart
Lines: 35-43 (in setSessionToken / getSessionToken)

Description:
The active session token (X-User-Token) is stored via the Hive unencrypted _session box (AppConstants.sessionBox). Since mobile devices can be compromised, storing sensitive authentication material in cleartext Shared Preferences or unprotected generic files represents a security flaw.

Impact:
If an attacker or malware compromises the device's storage (e.g., via root access, device backup extraction, or shared filesystem vulnerabilities), they could extract the session token and spoof the user.

Suggested Fix:
Migrate the session_token to the flutter_secure_storage package, which uses encrypted Keychain on iOS and EncryptedSharedPreferences on Android. Alternatively, instantiate the sessionBox using an encrypted Hive cipher generated securely and stored in the Keychain/Keystore.

import 'package:flutter_secure_storage/flutter_secure_storage.dart';
final storage = const FlutterSecureStorage();

Future<void> setSessionToken(String? token) async {
  if (token == null) {
    await storage.delete(key: 'session_token');
  } else {
    await storage.write(key: 'session_token', value: token);
  }
}