Android Password Data Stored In Plain Text
jampola writes "The Hacker News is reporting that Android password data is being stored as plain text in its SQlite database. Hackers News says that 'The password for email accounts is stored into the SQLite DB which in turn stores it on the phone's file system in plain text. Encrypting or at least transforming the password would be desirable.' I'm sure most would agree encrypted password data in at least SHA or MD5 would be kind of a good idea!"
Oh look, another dumb person thinking that Slashdot is a single mind.
Dilbert RSS feed
Sounds like you're a bit of a sore Apple user, or just an anti-Android person (why are people like this? I don't understand it) who is a bit threatened, or perhaps you just like to appear smarter than people by trying to point out that Slashdot is just as biased as any other place (which it is.) But trying to pretend that the competent technical folk on the site that have very correctly pointed out that this is a non-issue being propagated by people that don't actually understand what they're talking about, which is what I'm assuming you also are, as you didn't even continue to read the post you're replying to beyond the eleventh word.
They can't - it's stored in /data which is off limits to any app, unless you've rooted the phone.
Which as many Android enthusiasts point out is terribly easy to do. While it does not affect every user it affects huge subset of users.
On the iPhone, even if you've jailbroken it there's no such weakness thanks to the Keychain. Jailbreaking allows side loading, it does not break the entire security model and expose things as basic as email passwords.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
They can't - it's stored in /data which is off limits to any app, unless you've rooted the phone.
Which as many Android enthusiasts point out is terribly easy to do. While it does not affect every user it affects huge subset of users.
On the iPhone, even if you've jailbroken it there's no such weakness thanks to the Keychain. Jailbreaking allows side loading, it does not break the entire security model and expose things as basic as email passwords.
No such weakness? What weakness are you talking about? GPP did not imply that rooting the phone causes /data to cease being off-limits to apps.
What weakness are you talking about? GPP did not imply that rooting the phone causes /data to cease being off-limits to apps.
From the GPP:
it's stored in /data which is off limits to any app, unless you've rooted the phone.
If that's inaccurate start by correcting the person I responded to, not me.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's pathetic that so many Slashdotters (who are supposed to be nerds) won't even accept that some sort of encrypted system is better than plaintext for storing password. Absolutely pathetic.
This is what astounds me, that so many people here are seemingly willing to accept this gigantic flaw simply because it's behind one or two layers of security. There is no excuse for not keeping any stored credentials in something like the Keychain, this is a solved problem. I just assumed Android had something like it.
The worst part is, if there is no keychain to store user credentials how is every Android app out there storing credentials today? The laughable claim appears to be that since apps cannot by default see other apps, the model is simply to store credentials in the application directory in the open. Combine that with the fact that most devices store apps to external storage, and the external storage is unprotected...
In practical terms, it would seem any app you run could look for popular twitter app directories on an SD card and gain credentials that way. Or banking apps or whatever.
Or, as that thread says, a computer virus could look for mounted SD cards that had Android apps on them and gain credentials that way.
I would be interested to hear from Android developers if this is really not the case, how Android protects apps and credentials they store located on an SD card.
"There is more worth loving than we have strength to love." - Brian Jay Stanley