Home / Uncategorized / Passwords stored in plain text on rooted Android smartphones

Passwords stored in plain text on rooted Android smartphones

With great power comes great responsibility. Maybe you should have been listening to Uncle Ben all along, because it seems that with great freedom comes great security risks too. That’s because rooting your Android smartphone could reveal your “secure” passwords to just about anyone.

When you have a regular Android smartphone, the databases for each application are relatively secure and cannot be accessed by other applications. When you root your phone, you give applications root access and, as such, they can then access those databases. And those databases would then be shown in plain text, revealing your password as plain as day.

This isn’t so bad if you’re the only one who can see it, but what if someone were to develop an application for rooted Android phones (there are a lot of those) that would then read the databases of other apps? What if the app then looked for your password and automatically sent it back to the app developer?

Lookout CTO Kevin McHaffey explains:

The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third-party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.

It would be very dangerous for third-party applications to be able to read this file, which is why it’s very important to be careful when installing applications that require root access. I think it’s important for all users who root their phones to understand that apps running as root have *full* access to your phone, including your account information.

So yeah, the old adage still applies. Fools rush in where angels fear to tread and, in this case, the fools could be giving out their passwords like they’re going out of style.



About Michael Kwan

A freelance writer and tech geek from Vancouver. Find me at michaelkwan.com and follow me on Twitter @michaelkwan.

Check Also


Try Oculus Rift And Wii To Roam Around On The Back To The Future Hoverboard

Check out how you can fly in virtual space by using an Oculus Rift and a Wii Balance Board.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>