Security bulletin for rooted users: Android passwords stored as clear text
While some may spend their weekends lounging poolside or at toddler birthday parties, some sit and hack. We're glad in this case, as Cory (our Android Central Forums admin) found something that a good number of us need to be careful about -- in many cases your passwords are stored as plain text in internal databases. We spent a good portion of our Saturday tracking down the issues, scouring Google's code bugs pages, testing various phones running various ROMs, and even calling in the pros for clarification. Hit the break to see what was found, and what you might need to watch for if you've rooted your phone. [Android Central forums] And big props to Cory!
To be clear, this only affects rooted users. It's also a great reason why we stress the extra responsibilities that come with running a rooted OS on your phone. If you haven't rooted, this particular issue won't affect you, but it's still worth reading if only to put your mind at ease that not rooting was the right choice.
Take a moment and read all of our findings, which Cory has listed out quite nicely right here. I'll summarize: Certain applications, including the stock Froyo (Android 2.2) e-mail client, store your username and password as plain text in the phone's internal accounts database. This includes POP and IMAP mail accounts, as well as Exchange accounts(which could pose a bigger issue if it's also your domain login information). Now before we say the sky is falling, if your phone isn't rooted, no application is able to read this. We even confirmed this with Kevin McHaffey, the Co-Founder and CTO of Lookout -- who is always ready to lend a hand where mobile security is concerned, even on the weekend. Here's his take on the situation:
To put this in simpler terms, Android is set up so that apps can't read databases they aren't associated with. But once you provide the tools for applications to run as root, all this changes. Not only can someone with physical access to your phone look at these files and possibly obtain your login credentials, a very nasty piece of malware could be made that does the same thing and sends the data back home. We didn't find any instances of apps like this out in the wild, but be very careful (as always) of the applications you install, and read those application permissions!
While this isn't a concern for the vast majority of users, it would be preferable to encrypt these entries in future Android builds. Turns out, someone else thinks so, and there is an entry at Google's Android issues pages, which interested parties can star to stay informed about it as well as bump it up the list.
We certainly don't want to blow this out of proportion, but knowledge is power in situations like this. If you've rooted that shiny new Android phone, take a few extra precautions to stay safe.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.