Welcome to the Android Central Forums Create Your Account or Ask a Question Answers in 5 minutes - no registration required!
Results 1 to 22 of 22
Like Tree1Likes
  • 1 Post By Cory Streater
  1. Thread Author  Thread Author    #1  
    Cory Streater's Avatar
    Forums Emeritus

    Posts
    12,995 Posts
    Global Posts
    13,813 Global Posts

    Exclamation Be Aware: Clear Text Passwords in Database Files

    FYI - I downloaded and installed SQLite Editor and used it to look at the Accounts.db & EmailProvider.db databases located in /data/system on a rooted Samsung Fascinate. What I found was disturbing: These databases displayed my Exchange, POP, SMTP, and IMAP account user names AND passwords in clear text. All of the aforementioned accounts had been configured in the stock messaging application. My Touchdown Exchange password data was encrypted. I then examined the same database files on a Droid X, and found that the stock messaging app had protected my account information. However, my Visual Voicemail password on the Droid X was displayed in clear text. Jerry Hildenbrand (AKA gbhil) ran the same tests on his plethora of rooted phones and found additional instances of apps storing password info in the clear. Following are lists of our findings based on the phones we were able to test and apps that we had installed. The lists should not be considered all inclusive.

    Apps that did not display clear text password data:

    • K-9
    • Touchdown
    • Gmail, Talk, Market (SIM/ESN data and CC data are hashed), and Google Voice
    • HTC Messaging/Sense on the EVO (running stock Froyo and rooted), Seesmic, Twydroid, official Twitter, FB, and the new Open Feint games all look good.
    • Motorola Blur Messaging on the Droid X

    Apps that do display clear text password data:

    • Verizon Visual Voicemail (Droid X)
    • Samsung Fascinate (likely all Galaxy S phones) stock email application for all email protocols: POP, SMTP, IMAP, and Exchange
    • Email apps on a Hero running CM6 (Froyo), and a Nexus One running stock Froyo, CM6, and leaked FRG33 Froyo
    • Google's latest eMail client (from FRG33)
    • HTC Peep


    If you own a rooted Samsung Galaxy S phone, I would highly recommend an alternate messaging application, such as Touchdown (for Exchange) or K9 (for POP/IMAP). The same is true for both the Hero and Nexus 1.

    Jerry will be publishing an article on the front page with more information, but the main takeaway is that you should always be cautious of applications requiring root access. Applications running as root will have FULL access to your phone, including account information from the above applications. The implications could be tremendous if your private information were obtained for malicious purposes. To date, we have seen no evidence of this, but wanted to raise awareness and open the topic up for discussion.

    If you guys find any other apps that display clear text info, feel free to post them here. I will update this thread periodically to show this information.
    Last edited by Cory Streater; 09-18-2010 at 10:50 PM.
  2. #2  
    p08757's Avatar
    ** Superhero **

    Posts
    1,532 Posts
    Global Posts
    2,020 Global Posts

    Default

    Cory -- You are the man!!

    I have not gotten my fascenate yet. What is the difference between Gmail that does not display clear text and Google's lates eMail client From FRG33?

    Am I safe if I root, and run the stock Gmail client on the fascenate?

    Thanks!!
  3. #3  

    Default Exchange passwords

    My exchange password was not visible in the accounts.db file (Droid X). Our Exchange administrator is enforcing SSL on our webmail server. I wonder if this has anything to do with that.
  4. #4  

    Default

    Sorry. Just saw that you said that was only on Galaxy S. So FWIW, Exchange is not an issue on Droid X.
  5. #5  

    Default

    So am i correct in saying that regardless of that info, since MA and other states require encryption of storage on any mobile device that might have PII, we'll need to look at prohibiting exchange access for all android devices?
  6. #6  
    bjordan's Avatar

    Posts
    292 Posts
    ROM
    Evo: CM7

    Default

    Thanks for all the work and the heads up.
  7. #7  
    kaediil's Avatar

    Posts
    29 Posts
    Global Posts
    380 Global Posts

    Default

    I just pulled my accounts.db off my rooted Evo 4G. I am running OMJ rom with the netarchy overclocking kernel. I looked and there are no plain text passwords. I see the three gmail accounts with encrypted passwords in the database.

    The mail.db file which is under the htc email directory has my pop account and again the password is encrypted - I use ssl to access it, maybe that is why? Maybe it is just the htc email client?


    Oh, duh, I see you said the HTC stuff does not show passwords. Well, I second that then for pop and exchange

    -frank
  8. Thread Author  Thread Author    #8  
    Cory Streater's Avatar
    Forums Emeritus

    Posts
    12,995 Posts
    Global Posts
    13,813 Global Posts

    Default

    Per the first list above, passwords in HTC's EVO email app are indeed protected. So nothing to worry about there.
  9. #9  

    Default Re: Be Aware: Clear Text Passwords in Database Files

    Any idea how to mount /data while booted in the phone (in terminal)? Or is the only way to do it in recovery?

    EDIT: duh, never mind, I had to type su first to be able to see files in there.

    EDIT 2: So while HTC apps encrypt the passwords (verified on Incredible), it still lists the email addresses, which is half the battle for hackers.

    Sent from Incredible
    Last edited by Fahrenheit; 09-20-2010 at 01:29 PM. Reason: duh moment
  10. #10  
    dlcullen's Avatar

    Posts
    307 Posts
    ROM
    CM7 92611Ntly / CM 7.0.3

    Default

    Thanks Cory! I logged on to see if I could find a recommendation for an email app and came across your info advising those of us who have rooted to use the K9 app. Works great! My email would NOT load on my Fascinate with the standard email app on the phone.
    Thanks again!
  11. #11  
    elbaso's Avatar

    Posts
    93 Posts
    Global Posts
    100 Global Posts
    ROM
    CM10 Alpha 5.1

    Default

    I'm on a rooted Galaxy S phone (Epic 4G), and I can confirm that the password for my Exchange account in the stock Email program is visible.
    I've tried K9 in the past, but it didn't work with my company's Exchange setup. The Touchdown app mentioned above costs $20.

    Does anyone know of any other good Android Exchange clients that are not too expensive? Preferably apps that don't store the account passwords in clear-text?
  12. Thread Author  Thread Author    #12  
    Cory Streater's Avatar
    Forums Emeritus

    Posts
    12,995 Posts
    Global Posts
    13,813 Global Posts

    Default

    Quote Originally Posted by elbaso View Post
    The Touchdown app mentioned above costs $20.
    Trust me, it would be the best $20 you've ever spent.


    Quote Originally Posted by elbaso View Post
    Does anyone know of any other good Android Exchange clients that are not too expensive? Preferably apps that don't store the account passwords in clear-text?
    Roadsync is $10, but it has the ugliest interface I've ever seen IMHO, and have not verified its handling of passwords.
  13. #13  

    Default

    Don't these types of applications need your password in plain text to be able to send it along to the remote authentication service? (Such as POP3/Exchange, etc?).

    If that is the case, then even though some apps encrypt the password, it is not a secure one-way encryption because they would need to be able to decrypt it to use it.

    The application would decrypt that password with some sort of decryption key, which it either has stored in the application or generated in some way based on parameters the app can retrieve from the phone.

    This means that a malicious root app can do the same, as long as it know the method in which the decryption should be done. It has access to the same information the original app does to decrypt the password.

    Sure, this is a bit harder, but someone determined enough could figure out the decryption methods of a few popular apps, then create an app that stores the decryption methods for them in a malicious root app.

    What I'm getting at is, be careful which apps you give root access, even if you have apps that store encrypted passwords.
  14. #14  

    Default

    Any area of great concern on a rooted incredible? Thank you in advance for your assistance!
  15. #15  

    Default

    How about on a rooted Evo running CM6?
  16. #16  

    Default

    Quote Originally Posted by tapebreaker View Post
    Any area of great concern on a rooted incredible? Thank you in advance for your assistance!
    Not really. You never know though!
  17. #17  

    Default

    Does this only apply to rooted device?
  18. #18  

    Default

    Hey, not to re-hash old topics, but I was poking around on my Galaxy Nexus and opened up accounts.db for old times sake. Imagine my shock when I saw my Exchange password in there, in plain text! I can't believe this hasn't been fixed in Android 4.0!
  19. #19  

    Default Re: Be Aware: Clear Text Passwords in Database Files

    is it only galaxy s or other samsung devices too???
  20. #20  

    Default

    Quote Originally Posted by Cory Streater View Post
    FYI - I downloaded and installed SQLite Editor and used it to look at the Accounts.db & EmailProvider.db databases located in /data/system on a rooted Samsung Fascinate. What I found was disturbing: These databases displayed my Exchange, POP, SMTP, and IMAP account user names AND passwords in clear text. All of the aforementioned accounts had been configured in the stock messaging application. My Touchdown Exchange password data was encrypted. I then examined the same database files on a Droid X, and found that the stock messaging app had protected my account information. However, my Visual Voicemail password on the Droid X was displayed in clear text. Jerry Hildenbrand (AKA gbhil) ran the same tests on his plethora of rooted phones and found additional instances of apps storing password info in the clear. Following are lists of our findings based on the phones we were able to test and apps that we had installed. The lists should not be considered all inclusive.

    Apps that did not display clear text password data:

    • K-9
    • Touchdown
    • Gmail, Talk, Market (SIM/ESN data and CC data are hashed), and Google Voice
    • HTC Messaging/Sense on the EVO (running stock Froyo and rooted), Seesmic, Twydroid, official Twitter, FB, and the new Open Feint games all look good.
    • Motorola Blur Messaging on the Droid X

    Apps that do display clear text password data:

    • Verizon Visual Voicemail (Droid X)
    • Samsung Fascinate (likely all Galaxy S phones) stock email application for all email protocols: POP, SMTP, IMAP, and Exchange
    • Email apps on a Hero running CM6 (Froyo), and a Nexus One running stock Froyo, CM6, and leaked FRG33 Froyo
    • Google's latest eMail client (from FRG33)
    • HTC Peep


    If you own a rooted Samsung Galaxy S phone, I would highly recommend an alternate messaging application, such as Touchdown (for Exchange) or K9 (for POP/IMAP). The same is true for both the Hero and Nexus 1.

    Jerry will be publishing an article on the front page with more information, but the main takeaway is that you should always be cautious of applications requiring root access. Applications running as root will have FULL access to your phone, including account information from the above applications. The implications could be tremendous if your private information were obtained for malicious purposes. To date, we have seen no evidence of this, but wanted to raise awareness and open the topic up for discussion.

    If you guys find any other apps that display clear text info, feel free to post them here. I will update this thread periodically to show this information.
    This is why ill never put credit card info on a ics/jb rom during setup

    Sent from my LG-LS670 using Android Central Forums
    He who stands on toilet is high on pot
  21. #21  

    Default Re: Be Aware: Clear Text Passwords in Database Files

    Updated: found solution to the below.

    ____

    Very happy to have found this thread: following the Yahoo! password breaches a few months ago, I changed all of my email passwords online and updated them in the email application on my Samsung Galaxy S (Gingerbread VUVKJ6 / 2.3.6); I then went on holiday and promptly forgot the password (which I used for multiple accounts) - and couldn't remember responses to the various challenge questions, as I'd fabricated them all etc., in addition to all personal information - because I'm paranoid.

    The end result is that I still receive emails in the various accounts via my phone, but can't access full functionality online.

    That having been said, I just rooted my phone - can you point me towards an article - or explain in a step-by-step format what the next steps would be to access my PWs?

    Is the SQLite Editor all that's necessary? I note that it's a few $ - is it straight forward or do I need to read up on how to use? Is there a free Editor available?

    I've got nearly 15 yrs of correspondence is some of the Yahoo accounts (including some that aren't routed to the phone), and it would be a pain to lose it all.
    Last edited by lafite; 08-20-2012 at 11:35 PM. Reason: Found Answer / Solution
  22. #22  

    Default Re: Be Aware: Clear Text Passwords in Database Files

    Thanks for the info.

Posting Permissions