Need Help From Some Advanced Users!

[mmarz]

Hey guys,

I think I found a way to get our MSL codes and possibly a lot more. I need someone that hasn't changed their MSL code (and already knows what their code is) to follow these instructions so that I can compare their results to mine. Thanks guys!

Those of you that have updated your PRL are aware of the mobile phone tool QPST. There is a program included with it called "Memory Debug." In order to use it, you need to first setup the ports and QPST configuration as you did for the PRL update.

1. Run the "Memory Debug" program.
2. With your phone connected via USB and selected via the "Browse" button, you press "Get Regions".
3. This will reboot your phone into "Download mode". You will most likely lose the connection to your phone because download mode uses different drivers and possible a different port. Go into device manager -> Ports (COM & LPT) and find your phone's new COM port.
4. Go into the QPST configuration and setup the new port.
5. Go back to the "Memory Debug" program, browse for your phone again, and select "Get Regions" again.
6. This time it will show you a bunch of options. Leave them all checked and select "SaveTo" and pick an empty folder to dumb your phone memory to. This will take up a little over 500 megs.
7. It will take a good amount of time to finish (possible 30 min to an hour). I forget exactly how long.
8. When it is done, use a hex editor to look inside the file "ebi_cs0.bin"
9. Do a text string search for your own personal MSL code.
10. Please write down the hex addresses that it is found at and post them here. Here are where they were in my file:

0162ABCE
01BA6BDC
01BAD018
01BB1FF8
01BB4748

Besides the MSL code, I am working on other goodies we can extract from this dump. You may be interested in exploring the file yourself.

Update:
Interesting find number one, your google account password is in plain text (unencrypted) in this dump.

Update:
I changed my account password. My phone then prompted for my new password. I entered it in. I then synced my contacts, rebooted, and then dumped the contents of my phone. My new password was in there in plain text twice. The old password was still there too. Something is logging my internet traffic or my keyboard inputs.

 

[watskyhotsky]

what does having our account password in plain text in RAM mean for users? can an app access it while android is running? can app on a rooted phone access that info?

 

[mmarz]

what does having our account password in plain text in RAM mean for users? can an app access it while android is running? can app on a rooted phone access that info?

Not sure what this means yet. I'm trying to figure out where those values are stored on the phone. My previous searches of my phone while booted didn't turn up my password.

What is REALLY interesting is that my password is located over 100 times in the dump in plain text. I'm starting to think that what I'm seeing are the log files from something that is monitoring my internet connection. Hmmm.....

 

[aznrunner1881]

Not sure what this means yet. I'm trying to figure out where those values are stored on the phone. My previous searches of my phone while booted didn't turn up my password.

What is REALLY interesting is that my password is located over 100 times in the dump in plain text. I'm starting to think that what I'm seeing are the log files from something that is monitoring my internet connection. Hmmm.....

Any idea if it's malicious?

 

[watskyhotsky]

Not sure what this means yet. I'm trying to figure out where those values are stored on the phone. My previous searches of my phone while booted didn't turn up my password.

What is REALLY interesting is that my password is located over 100 times in the dump in plain text. I'm starting to think that what I'm seeing are the log files from something that is monitoring my internet connection. Hmmm.....

I have already read that android keeps a log/cache of the last couple hundred GPs locations, passwords, and other sensitive data.

It was sidenote on an article about how the iphone logs every single thing you do

it stated that android only keeps a cache and data older than a certain time period gets erased.

 

[mmarz]

Any idea if it's malicious?

It would help if others did a dump of their phone and looked. That way we could know if I have a malicious program or if the android platform itself is the one recording our passwords. What has me concerned is that this password is unique to my google account, and I do not input anywhere except when I first setup my phone. So there are only two ways that this can happen.

1. Google is storing the password in plain text.

2. Google is encrypting the password when stored but is then sending it as plain text (albeit over a secured connection). So while someone on the network can't intercept the password, malicious programs on my phone can.

I'm hoping that it is number 1, because if it is number 2 then there is another process happening that is recording my internet traffic. That opens up another can of worms as to what is recording this traffic and is it from google or an app I installed.

Another possibility I just thought of was that these are deleted entries. Since I have flashed many many many roms, and I use data2ext, this dump could contain my login from the repeated times that I entered it. This would work with google mess up option number 1 from above.

 

[drezliok]

Maybe changing the password to something like temppass1 and use it for a while then re-dump and compare passwords. If the new password replaces all of the old than its actively...

When typing this I was at work and had to help a customer then I came back and my train of thought was derailed. Thought I would still post this to see if it helps to spark an idea.

 

[jack454]

Ok here are the the addresses from my phone.
0162abce
01ba6bdc
01bad027
01bb5f48
Are the passwords in the same file? If so I haven't seen any. I'll keep looking if I can keep the girlfriend off the puter. Hope this helps a little.

Found passwords in the ebi_cs1 file.

 

[mmarz]

Ok here are the the addresses from my phone.
0162abce
01ba6bdc
01bad027
01bb5f48
Are the passwords in the same file? If so I haven't seen any. I'll keep looking if I can keep the girlfriend off the puter. Hope this helps a little.

Found passwords in the ebi_cs1 file.

Thanks! I'm not alone!

I found the password in both files multiple times, as both ASCII and Unicode. I still can't find a pattern as to where or why it is being used. There are also portions that only have half of the password and parts where the password is broken up into two parts separated by a dozen or so random characters.

 

[jack454]

I saw some brokenup ones also. Sorry I can't look any more for now. Had to
turn puter over to girlfriend.

 

[JerryScript]

I couldn't remember where I wrote down my MSL, but I still had everything configured so it was painless to grab a dump.

I can confirm my email address and password are together in plain text in multiple locations. I don't know much about mem dumps, but it appears to indicate it is google's sync service:

ebi_cs1.bin
0D565490 .... 8 NOOP..TCH 48(
0D5654A0 .... UID FLAGS)...."p
0D5654B0 .... assword"........

All other instances were preceded by imap or smtp.

 

[obijohn]

It's the keyboard. The OS isn't logging your passwords, at least as far as I can tell. If you select a different keyboard than the default, you will see a security warning popup which says that the keyboard can log everything, including your passwords. Well, this is normal, because softkeyboards need to be able to store words you enter into their dictionary/history to enhance their spelling and prediction. This is why your old password is still there after you changed it, and why they are stored in plaintext (because dictionaries are never thought to be encrypted).

Whether or not the softkeyboard is storing "words" that your entered in password fields in plaintext is not an Android security hole, it's the keyboard's, so complaints and/or advisories should be directed to them. They should at least give us the option of marking password fields as something not to store, and if we do want them remembered, for jimminey cricket's sake store them in a separate encrypted dictionary.

 

[mmarz]

It's the keyboard. The OS isn't logging your passwords, at least as far as I can tell. If you select a different keyboard than the default, you will see a security warning popup which says that the keyboard can log everything, including your passwords. Well, this is normal, because softkeyboards need to be able to store words you enter into their dictionary/history to enhance their spelling and prediction. This is why your old password is still there after you changed it, and why they are stored in plaintext (because dictionaries are never thought to be encrypted).

Whether or not the softkeyboard is storing "words" that your entered in password fields in plaintext is not an Android security hole, it's the keyboard's, so complaints and/or advisories should be directed to them. They should at least give us the option of marking password fields as something not to store, and if we do want them remembered, for jimminey cricket's sake store them in a separate encrypted dictionary.

There are a few reasons I don't buy this as being the cause.

Where would this unencrypted keyboard log be? I have data2ext going. My password was found on my internal phone partition. Whatever is doing this has permission to modify files outside of the data folder.

My password was present repeatedly. Even when I changed my password, it appeared twice even though I had only entered it once.

You have to manually select when you want to add words to the dictionary, otherwise all your misspelled tweets would be added. In password fields, this is not possible because only a single letter is inputted at any given time. No word is ever developed.

My other passwords are not in this log file. For example, my titanium backup password that I have to constantly use when I restore backups is not in here. Also my internet search phrases and other relevant items that I have typed in.

 

[JerryScript]

In my case, the imap and smtp strings were partial email headers including my email addy followed by my password:

smtpsmtp...........username@gmail.compassword

imapiamp...........username@gmail.compassword

 

[mmarz]

In my case, the imap and smtp strings were partial email headers including my email addy followed by my password:

smtpsmtp...........username@gmail.compassword

imapiamp...........username@gmail.compassword

What program do you use to check that email address?

I use the official gmail app, and I don't have those entries you speak of. I do have lots of Groove IP entries (login and password in plain text).

 

[jack454]

In case you are still interested I've found entries for Grooveip as well as login info for this forum.
I wounder do you think we should be worried about this.

 

[mmarz]

I just got this from KSmithInNY:

Security bulletin for rooted users: Android passwords stored as clear text | Android Central

Any app with root access has the ability to get your google credentials because android stores them in plain text. Wonderful!

 

[jack454]

Thanks for the info. Guess I need to change my ebay and paypal passwords and stop using those apps on my phone.

 

[overthinkingme]

I doubt the average thief or person who happens to find a phone will know how to dump the phone's data. A thief would sell it immediately and a person who finds it either erases it or returns it.

And is you're being targeted by hackers then you probably know it. Would be a very rare case.

All in all a security concern but a bit over blown.

Sent from my VM670 using Tapatalk

 

[JerryScript]

What program do you use to check that email address?

I use the official gmail app, and I don't have those entries you speak of. I do have lots of Groove IP entries (login and password in plain text).

I use the official email app, so I can check both yahoo and gmail at the same time.

Note- I couldn't find anything at the hex addresses where you said the msl should be.