Dump Your Phone Memory...See Your Google Password Stored in Plain Text

[mmarz]

I posted this over in the Optimus V thread, but I thought you guys might be interested in this as well. I haven't tested this on the S but I assume it should be identical.

I am currently exploring a possible security fail on the part of android/google. My phone dump contains my google account password in plain text....not just once. It has my password in plain text over 120 times. I am investigating how this could be. My google password is unique to that one account, and it is paired with my google login in the phone dump. I have not input the password in any other place outside of when I first setup my phone. I have not input that password in any app or browser. You may want to check if your login credentials are also being mishandled and possibly logged.

Phone Dump: (portions of this were taken from the PRL guide)

1. Connect your phone to your computer using a USB cable.
2. Open Device Manager.
3. Ports > LGE Android Platform USB Serial Port > Properties > Port Settings > Advanced > COM port number
4. Make a note of your COM port number.
5. Download and install QPST v2.7.
6. Open "QPST Configuration".
7. In the "Ports" tab, if your com port isn't listed, select "Add New Port" and write in your com port as "COM#" (# being the number you noted in step 4). Verify that your com port is listed.
8. Make sure your phone appears in the the "Active Phones" tab.
9. Run the "Memory Debug" program from QPST.
10. With your phone connected via USB and selected via the "Browse" button, press "Get Regions".
11. This will reboot your phone into "Download mode". You will most likely lose the connection to your phone because download mode uses different drivers and possible a different port. Go into device manager -> Ports (COM & LPT) and find your phone's new COM port.
12. Go into the QPST configuration and setup the new port.
13. Go back to the "Memory Debug" program, browse for your phone again, and select "Get Regions" again.
14. This time it will show you a bunch of options. Leave them all checked and select "SaveTo" and pick an empty folder to dumb your phone memory to. This will take up a little over 500 megs.
15. It will take a good amount of time to finish (possibly 30 min to an hour).
16. When you are done, you will have the following files:

adsp_rama.bin, adsp_ramb.bin, adsp_ramc.bin, adsp_rami.bin, mdsp_rama.bin, mdsp_ramb.bin, mdsp_ramc.bin, mdsp_regs.bin, load.cmm, ebi_cs0.bin, and  ebi_cs1.bin

You can now use a hex editor to search in both ASCII and Unicode for your google account password in ebi_cs0.bin and ebi_cs1.bin. This is a raw dump of your phone memory. It will contain your contact list and other person information, but I see no reason for your account password to be logged in plain text. Another user has already reported finding his password using this technique. Please search for yourself and report back what you find. My guess is that this is not unique to the Optimus V.

Update:
I changed my account password. My phone then prompted for my new password. I entered it in. I then synced my contacts, rebooted, and then dumped the contents of my phone. My new password was in there in plain text twice. The old password was still there too. Something is logging my internet traffic or my keyboard inputs.

 

[blackops1125]

wow, very interesting!!!!, what would be doing the logging?

 

[mmarz]

wow, very interesting!!!!, what would be doing the logging?

Not sure yet. It is either an application that is logging internet traffic or an app which has access to such credentials and it is misusing them or possibly just key logging by the keyboard app or a malicious program. No matter the case, at no point should passwords be stored unencrypted.

 

[jstntp]

IQagent????? Hmmm.

 

[mmarz]

IQagent????? Hmmm.

The IQagent isn't on the V version of the phone (I don't think). I don't even know if the S version would turn up these results. If one of you can try this, we could find out.

 

[jstntp]

Ahh, I just assumed it had it.

 

[KSmithInNY]

http://m.androidcentral.com/android-passwords-rooted-clear-text <---- should be an easier way to achieve the same result.

 

[mmarz]

http://m.androidcentral.com/android-passwords-rooted-clear-text <---- should be an easier way to achieve the same result.

Son of a......

Thank you. This is most likely what I am seeing then. And so any app with root access has the ability to get your google credentials because android stores them in plain text. Wonderful!

 

[blackops1125]

I have IQagent frozen by TB.
MY question is they could get the passwords for certain email Apps so if you don't have anything personal stored there no big deal?

Sent from my rooted Optimus s using Tapatalk.

 

[tebe03]

yeah, this is what I want, thanks !

 

[Keshenatech1]

Even though I couldn't find my password in there anywhere, I still learned alot from this article. I have an LG Optimus AS870 4GLTE phone. The first thing I had to figure out is that a newer version of QPST (V 2.7.374) to do a memory dump. The old version would get the phone into the Download Mode, but then the PC couldn't see it. In this newer phone, there was only ebi_cs0.bin, not 1. I saw my Gmail email address, contacts, text messages, and bits and pieces of other info and events, but no sign of my password. I see this thread is from 2 years ago, has Android since improved the security of their operating system, or is there another file I can look in on this newer device? Either way, this post was still very interesting and useful, and I learned how to do a memory dump, which I have never done before. Very cool!

 

[Seditec]

Personal opinion but the carriers should sell an in bloated model in the first place or not push crap to the system folder so u can't remove it
Also I really need to check dates

Sent from my LS670 using Tapatalk 2

 

[engel989]

How would I add my port for my phone? It shows up in device manager under portable devices instead of ports. It is the SCH-I535