Passwords as clear text for root apps

While some may spend their weekends lounging poolside or at toddler birthday parties, some sit and hack.  We're glad in this case, as Cory (our Android Central Forums admin) found something that a good number of us need to be careful about -- in many cases your passwords are stored as plain text in internal databases.  We spent a good portion of our Saturday tracking down the issues, scouring Google's code bugs pages, testing various phones running various ROMs, and even calling in the pros for clarification.  Hit the break to see what was found, and what you might need to watch for if you've rooted your phone. [Android Central forums] And big props to Cory!

To be clear, this only affects rooted users.  It's also a great reason why we stress the extra responsibilities that come with running a rooted OS on your phone.  If you haven't rooted, this particular issue won't affect you, but it's still worth reading if only to put your mind at ease that not rooting was the right choice.

Take a moment and read all of our findings, which Cory has listed out quite nicely right here.  I'll summarize: Certain applications, including the stock Froyo (Android 2.2) e-mail client, store your username and password as plain text in the phone's internal accounts database.  This includes POP and IMAP mail accounts, as well as Exchange accounts(which could pose a bigger issue if it's also your domain login information).  Now before we say the sky is falling, if your phone isn't rooted, no application is able to read this.  We even confirmed this with Kevin McHaffey, the Co-Founder and CTO of Lookout -- who is always ready to lend a hand where mobile security is concerned, even on the weekend.  Here's his take on the situation:

"The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.

It would be very dangerous for third party applications to be able to read this file, which is why it’s very important to be careful when installing applications that require root access. I think it’s important for all users who root their phones to understand that apps running as root have *full* access to your phone, including your account information.

If the accounts database were to be accessible to non-system users (e.g. user or group ownership of the file something other than “system” or world read privileges on the file) it would be a large security vulnerability."

To put this in simpler terms, Android is set up so that apps can't read databases they aren't associated with.  But once you provide the tools for applications to run as root, all this changes.  Not only can someone with physical access to your phone look at these files and possibly obtain your login credentials, a very nasty piece of malware could be made that does the same thing and sends the data back home.  We didn't find any instances of apps like this out in the wild, but be very careful (as always) of the applications you install, and read those application permissions!

While this isn't a concern for the vast majority of users, it would be preferable to encrypt these entries in future Android builds.  Turns out, someone else thinks so, and there is an entry at Google's Android issues pages, which interested parties can star to stay informed about it as well as bump it up the list. 

We certainly don't want to blow this out of proportion, but knowledge is power in situations like this.  If you've rooted that shiny new Android phone, take a few extra precautions to stay safe.

 
There are 34 comments

Jonneh says:

Thanks for keeping us safe, folks at AC.

killatrell86 says:

Wow. This would show up on here the day I was really thinking about rooting my fascinate......

macsmister says:

Dude root your Fascinate. Once rooted apply the lag fix and you get one hot (if not the hottest) Verizon Android phone. You ought it to yourself!

computist says:

Yep, me too. I was going to root my Droid X when I got home tonight. Now, not so much...

afazel says:

I think it's worth pointing out that even if your phone is not rooted and is stolen, a tech-savvy thief would be able to root your phone and pull the data.

rugbyua9 says:

Agreed.

Thank you AC for giving the heads up... but as with rooting in the first place... you are putting yourself in the trust of other people. Especially ROM developers. Hopefully those who are concerned knew this before rooting.

And for what its worth... yes I'm rooted and no I'm not concerned.

icebike says:

EXACTLY.

Why make the point repeatedly about it Only affecting rooted phones when the first thing a thief (or a cop) would do is root the phone.

This is a tough problem to solve because you have to store a decryption key somewhere or enter it every time. So even if android encrypted the database the key to decrypt it would have to reside in the phone somewhere, or you would have to type it EACH time you opened the phone.

Count 1, 2, 3 and see the isheep go all out on this…lol

icebike says:

The iphone OS had to have a patch some time ago for precisely this reason. It wasn't till version 3.1 that this was fixed.

Apple has already faced this problem. And it was directly in response to the Exchange community.

Question: would it be possible then to root phone and get rid of bloatware and then unroot to avoid this issue?

afazel says:

Theoretically I suppose it would be possible. Jerry would be the one with the know-how on that, though, I would imagine. If nothing else, a ROM could be made without the bloatware and without root access.

jeffe65 says:

That's one of the reasons people write custom ROMs in the first place, to give the option of removing things you don't need or use. Bottom line is, if you're going to root, make sure you know what you're doing and what you're getting into when you do. Rooting your phone and then downloading every app you run across without checking out what it does would be a bad idea.

Impulses says:

It might be possible... But probably more trouble than it's worth. The typical methods for undoing root access involve running an executable from your carrier to restore the phone to a factory state (thus restoring all bloat). I guess it's possible someone could craft a custom ROM for you *without* root access... But if the bootloader and recovery necessary to load such a ROM are still unlocked then I'm not sure how much better off you are.

If you're scared you'll be hit by a thief that is really tech savvy then you're better off just getting ready to change your passwords the minute such a calamity happens, and possibly attempting a remote wipe.

KSmithInNY says:

By running the RUU to "unroot" you regain all the bloat you were attempting to remove (RUU pushes it back to system/app).

I don't know if this would necessarily fix the security vulnerability after rooting but you could root, remove bloat, then in terminal emulator (free in the market) type the following.

su
rm -r /system/app/Superuser.apk
rm -r /system/xbin/busybox
rm -r /system/bin/su

After that you can check and see if you have access to the accounts.db, which i wouldn't think you would. You'd have to check I'm just tossing out some ideas off my head.

chhall says:

I checked the accounts.db file on my rooted Droid X and did not see my Exchange password. I saw a few others, but not that one. Our Exchange administrator is enforcing SSL access to our OWA servers, so I wonder if that has to do with why my password is not plain text there.

likwidsoul says:

Like they said. If your rooted be sure to read the permissions that you give an app. Especially if that app is going to have root access on your phone. If you don't understand a permision there is a list of them somewhere in the settings can't remember where anyone that knows chime in. But don't give a wallpaper app access to contacts or something like that and you will be fine.

strawedj says:

MA and other states require encryption of storage on any mobile device that may have PII. So, we'll need to remove any android phones from accessing exchange.

icebike says:

The exchange data is encrypted. Lets not run out and spread fud, ok?

The decryption key is store un-encrypted (although it is cleartext it is unintelligible gibberish). That's all this story says. Think that through for a moment or two and you will realize that unless your phone is set up to require you to key in a password each time you open the phone SOME encryption key somewhere is going to have to be stored unencrypted.

strawedj says:

Not attempting to spread FUD, but I think my point is still valid. I don't show where he said all exchange data is encrypted.

let me quote from the article:
I'll summarize: Certain applications, including the stock Froyo "(Android 2.2) e-mail client, store your username and password as plain text in the phone's internal accounts database. This includes POP and IMAP mail accounts, as well as Exchange accounts(which could pose a bigger issue if it's also your domain login information)."

So perhaps I'm incorrect, yet the article is fairly clear. Yet you are saying that "the exchange data is encrypted". I don't show that to be the case based upon the information presented.

If i'm wrong, please point out where.

icebike says:

You are conflating Exchange DATA (the content of your inbox, mail and calendar) with the passwords used to sign on.

This article is about passwords.

This article is not about the data in the exchange folders.

strawedj says:

I guess I didn't write that last comment well enough.

PII includes passwords and usernames. So if THAT info isn't encrypted then for states like MA, which do require PII info on mobile devices to be encrypted, my point would still apply.

If thats incorrect, then let me know.

icebike says:

Unless you have to enter a password each time you open the phone, NO PHONE is secure. There is no way you can store passwords AND the decryption key to those passwords on the same device and call it secure. Something has to be OFF device. (in your head).

If you want a total package spend $20 to get NitroDesk's TouchDown email client, which supports all EAS policies.

Read what Mat Miller has to say:
http://www.zdnet.com/blog/cell-phones/exchange-support-improves-in-andro...

If you can log into the State of MA exchange account with Foryo then
1) there is no problem as froyo already meets the requirements, or
2) MA is not as secure as you think it is.

Sites that need secure email do not ban devices by name or by OS.
They do not Add or Subtract devices from a "list" The do an on line test to see if the device reports all the capabilities required.

Fahrenheit says:

Also, this appears to only be on Samsung phones at the moment. Moto and HTC phones don't store their passwords in clear text (I just verified on my Incredible). If you feel you must be safe, just ban Samsung phones...or forbid your users from rooting with a company policy.

strawedj says:

wrong reply

Smokexz says:

Oh my god, thank you, I just rerooted my Vibrant to add the stock lockscreen and one click lag fix. I will certainly be alert for this...

kalleguld says:

While this isn't a concern for the vast majority of users, it would be preferable to encrypt these entries in future Android builds. Turns out, someone else thinks so, and there is an entry at Google's Android issues pages, which interested parties can star to stay informed about it as well as bump it up the list.

But where are they gonna store the decryption key for the passwords?

ohboyscott says:

The moment i saw Lookout mentioned i stopped reading

sookster54 says:

Rooting is still worth it, just don't go installing tons of apps you don't know about (ones that comes up asking for root access via Superuser as well has requiring "system" permissions), I root to clean up the system and to have screenshot, Titanium Backup and adbWireless (since adb doesn't always work via USB connection) other than that I don't bother with any other root based apps.

To sum it up: don't blindly install as root, PAY ATTENTION.

curney says:

I love you guys.

They are under the false impression that system permissions will protect the weak unencrypted passwords on a non-rooted phone.

The way most people get root in the first place is usually through a vulnerability in the non-root build of the OS in which they gain root access.

This means that anyone with non-root permissions could use a vulnerability to gain root and get the passwords anyways.

WoodiE55 says:

I'm curious if MailDroid has this issue as well.

Dave Evans says:

So in other words.....you need my password to gain access to my phone.....to get my password?! ;)

ehh.. i dont use any of the programs that Cory listed.. but i'll be aware if i do end up using one to use an alternate that doesnt display passwords as clear text..

So, I've been having nightmares and paranoid delusions since reading this article (well, not really but it sounds cool). I have been rooted since the day of owning the Epic and have Quikboot, JuiceDefender and CacheMate for Root Users all installed and showing up under the SuperUser app that tells you who/what has asked for and received superuser permissions.

I went to the Juice Defender's log (I own the purchased copy) and it literally accessing root hundreds and hundreds of times per day and through the night, likely due to my settings.

Is anyone familiar enough with this app to tell everyone in here if it's safe and that's ok? I'd also like to know the WHY behind any answer given, please...just so I can sleep extra cozy tonight! JuiceDefender has been an AMAZING battery-life saver and I love it but would give it up in a second if it a risky app.