Passwords stored in plain text on rooted Android smartphones

With great power comes great responsibility. Maybe you should have been listening to Uncle Ben all along, because it seems that with great freedom comes great security risks too. That’s because rooting your Android smartphone could reveal your “secure” passwords to just about anyone.

When you have a regular Android smartphone, the databases for each application are relatively secure and cannot be accessed by other applications. When you root your phone, you give applications root access and, as such, they can then access those databases. And those databases would then be shown in plain text, revealing your password as plain as day.

This isn’t so bad if you’re the only one who can see it, but what if someone were to develop an application for rooted Android phones (there are a lot of those) that would then read the databases of other apps? What if the app then looked for your password and automatically sent it back to the app developer?

Lookout CTO Kevin McHaffey explains:

The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third-party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.

It would be very dangerous for third-party applications to be able to read this file, which is why it’s very important to be careful when installing applications that require root access. I think it’s important for all users who root their phones to understand that apps running as root have *full* access to your phone, including your account information.

So yeah, the old adage still applies. Fools rush in where angels fear to tread and, in this case, the fools could be giving out their passwords like they’re going out of style.


Posted in: Uncategorized

Leave a Comment