Security bulletin for rooted users: Android passwords stored as clear text

While some may spend their weekends lounging poolside or at toddler birthday parties, some sit and hack.  We're glad in this case, as Cory (our Android Central Forums admin) found something that a good number of us need to be careful about -- in many cases your passwords are stored as plain text in internal databases.  We spent a good portion of our Saturday tracking down the issues, scouring Google's code bugs pages, testing various phones running various ROMs, and even calling in the pros for clarification.  Hit the break to see what was found, and what you might need to watch for if you've rooted your phone. [Android Central forums] And big props to Cory!

To be clear, this only affects rooted users.  It's also a great reason why we stress the extra responsibilities that come with running a rooted OS on your phone.  If you haven't rooted, this particular issue won't affect you, but it's still worth reading if only to put your mind at ease that not rooting was the right choice.

Take a moment and read all of our findings, which Cory has listed out quite nicely right here.  I'll summarize: Certain applications, including the stock Froyo (Android 2.2) e-mail client, store your username and password as plain text in the phone's internal accounts database.  This includes POP and IMAP mail accounts, as well as Exchange accounts(which could pose a bigger issue if it's also your domain login information).  Now before we say the sky is falling, if your phone isn't rooted, no application is able to read this.  We even confirmed this with Kevin McHaffey, the Co-Founder and CTO of Lookout -- who is always ready to lend a hand where mobile security is concerned, even on the weekend.  Here's his take on the situation:

"The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.It would be very dangerous for third party applications to be able to read this file, which is why it’s very important to be careful when installing applications that require root access. I think it’s important for all users who root their phones to understand that apps running as root have *full* access to your phone, including your account information.If the accounts database were to be accessible to non-system users (e.g. user or group ownership of the file something other than “system” or world read privileges on the file) it would be a large security vulnerability."

To put this in simpler terms, Android is set up so that apps can't read databases they aren't associated with.  But once you provide the tools for applications to run as root, all this changes.  Not only can someone with physical access to your phone look at these files and possibly obtain your login credentials, a very nasty piece of malware could be made that does the same thing and sends the data back home.  We didn't find any instances of apps like this out in the wild, but be very careful (as always) of the applications you install, and read those application permissions!

While this isn't a concern for the vast majority of users, it would be preferable to encrypt these entries in future Android builds.  Turns out, someone else thinks so, and there is an entry at Google's Android issues pages, which interested parties can star to stay informed about it as well as bump it up the list. 

We certainly don't want to blow this out of proportion, but knowledge is power in situations like this.  If you've rooted that shiny new Android phone, take a few extra precautions to stay safe.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.