An Android Central mobile security researcher has discovered that critical access codes on rooted Android smartphones are often stored as clear text in internal OS databases.
“Cory – our Android Central Forums admin – found something that a good number of us need to be careful about. Certain apps, including the stock Froyo (Android 2.2) e-mail client, store usernames and passwords as plain text in the phone’s internal accounts database,” confirmed AC’s Jerry Hildenbrand.
“[Yes], this includes POP and IMAP mail accounts, as well as Exchange accounts – which could [of course] pose a bigger issue if it’s also your domain login information.”
Meanwhile, Lookout CTO Kevin McHaffey explained that the accounts.db file – which is stored by Android’s system service – centrally manages account credentials (e.g. usernames and passwords) for various OS applications.
“By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third party applications should be able to directly access the file.
“My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.”
As expected, McHaffey emphasized that it would obviously be “very dangerous” if third-party apps accessed and read the accounts.db file, which is why rooters should exercise extreme caution when installing programs requiring ultra high-level access.
“I think it’s important for all users who root their phones to understand – apps running as root have *full* access to your phone, including your account information.
“[Remember], if the accounts database were to be accessible to non-system users (e.g. user or group ownership of the file something other than ‘system’ or world read privileges on the file) it would be a large security vulnerability.”