Be Aware: Clear Text Passwords in Database Files
FYI - I downloaded and installed SQLite Editor and used it to look at the Accounts.db & EmailProvider.db databases located in /data/system on a rooted Samsung Fascinate. What I found was disturbing: These databases displayed my Exchange, POP, SMTP, and IMAP account user names AND passwords in clear text. All of the aforementioned accounts had been configured in the stock messaging application. My Touchdown Exchange password data was encrypted. I then examined the same database files on a Droid X, and found that the stock messaging app had protected my account information. However, my Visual Voicemail password on the Droid X was displayed in clear text. Jerry Hildenbrand (AKA gbhil) ran the same tests on his plethora of rooted phones and found additional instances of apps storing password info in the clear. Following are lists of our findings based on the phones we were able to test and apps that we had installed. The lists should not be considered all inclusive.
Apps that did not display clear text password data:
- Gmail, Talk, Market (SIM/ESN data and CC data are hashed), and Google Voice
- HTC Messaging/Sense on the EVO (running stock Froyo and rooted), Seesmic, Twydroid, official Twitter, FB, and the new Open Feint games all look good.
- Motorola Blur Messaging on the Droid X
Apps that do display clear text password data:
- Verizon Visual Voicemail (Droid X)
- Samsung Fascinate (likely all Galaxy S phones) stock email application for all email protocols: POP, SMTP, IMAP, and Exchange
- Email apps on a Hero running CM6 (Froyo), and a Nexus One running stock Froyo, CM6, and leaked FRG33 Froyo
- Google's latest eMail client (from FRG33)
- HTC Peep
If you own a rooted Samsung Galaxy S phone, I would highly recommend an alternate messaging application, such as Touchdown (for Exchange) or K9 (for POP/IMAP). The same is true for both the Hero and Nexus 1.
Jerry will be publishing an article on the front page with more information, but the main takeaway is that you should always be cautious of applications requiring root access. Applications running as root will have FULL access to your phone, including account information from the above applications. The implications could be tremendous if your private information were obtained for malicious purposes. To date, we have seen no evidence of this, but wanted to raise awareness and open the topic up for discussion.
If you guys find any other apps that display clear text info, feel free to post them here. I will update this thread periodically to show this information.