Android Password Data Stored In Plain Text

jampola writes "The Hacker News is reporting that Android password data is being stored as plain text in its SQlite database. Hackers News says that 'The password for email accounts is stored into the SQLite DB which in turn stores it on the phone's file system in plain text. Encrypting or at least transforming the password would be desirable.' I'm sure most would agree encrypted password data in at least SHA or MD5 would be kind of a good idea!"

Sorry, disagree that SHA/MD5 is a solution

[mysidia]

I'm sure most would agree encrypted password data in at least SHA or MD5 would be kind of a good idea!"

No, I would not agree to that. I cannot say what most would think, but they would be misunderstanding the requirements and a misunderstanding of SHA/MD5 security for password stoarge, if they suggest SHA/MD5 as a solution.

When your android needs to access an e-mail account, knowledge of the actual login password is required, to connect to the remote server. Storing a SHA or MD5 hash does not retain knowledge of the password, so automatic e-mail login on the Android device would no longer be able to function with only a SHA or MD5 stored.

The e-mail server itself can potentially store a PBKDF2 derived strong hash for plaintext authentication over TLS (the server may require plaintext for CRAM-MD5 or other authentication mechanism selections), but your software needs to authenticate with the mail server, which requires either that actual credentials be stored, OR that credentials be entered by the user.

To quote the complaint from the article:

The password for email accounts is stored into the SQLite DB which in turn stores it on the phone's file system in plain text. Encrypting or at least transforming the password would be desirable.

I will agree that encrypting or transforming the password in the database is possible; something such as a Windows or OSX style keychain should be possible. HOWEVER, the decryption key has to be stored on the phone, and any transformation has to be reversible, for the device to still work without prompting the user for the password and saving in RAM or prompting the user every time e-mail is to be checked.

Therefore, the security benefits of doing this are absolutely minimal. Anyone who is actually trying to extract the password will learn about the transformation, and any reversible transformation is not a significant improvement.

Saving the unencrypted password in RAM may be just as good [or bad] as saving it on the filesystem, since phones are rarely rebooted, and RAM is subject to analysis just like a sqlite DB is subject to analysis.

Re:Sorry, disagree that SHA/MD5 is a solution

[maxume]

If the app-server combo has a decent session protocol, the app can get a session token from the server and discard the password.

Re:Sorry, disagree that SHA/MD5 is a solution

[Macthorpe]

Incredibly, if you actually RTFA, it's written by someone both technically incapable and clearly illiterate. It's also based on a comment made by a member of the Android team posted nearly a year ago, and the comment also points out exactly why they do it this way:

Simply obscuring your password (e.g. base64) or encrypting it with a key stored elsewhere will *not* make your password or your data more secure. An attacker will still be able to retrieve it. [...] If you can obtain *any* data from files in /data/data/* on a non-rooted device, this is a security problem in the device.

So basically, it's hidden from view on a non-rooted device, people who root their devices have already technically cracked their own security anyway, and even if it wasn't in plain text it would still be trivial to decrypt as the key has to exist somewhere on the device to do it.

All in all, very boring, very old, and very stupid to post.

Re:Sorry, disagree that SHA/MD5 is a solution

[mysidia]

If the app-server combo has a decent session protocol, the app can get a session token from the server and discard the password.

I agree that's a very good idea. Why don't we implement Kerberos on our Android phones, and insist on GSSAPI with a Kerberos service ticket to access POP3/IMAP/etc from the phone?

Or certificate-based authentication, where we install a X509 certificate on our phone, and the server requires we authenticate with the right X509 certificate and use TLS/SSL in order to gain access to our account, instead of using a password.

Then each device is separate and lost device can be dealt with by revoking certs. Both of these are good solutions, but unfortunately, in most cases, neither will be an option, and people would not like the Android phones if it required them to introduce proper security to their mail server authentication, without addressing inconvenience issues.

Implementing token-based auth with IMAP or POP (unfortunately) requires special cooperation of the mail server admin, since most mail servers have no additional authentication options by default, beyond simple password; over SSL/TLS if you're fortunate.

The unpopularity of token-based auth for IMAP/POP stems from a lack of implementation of these security options on mail servers, partially due to the limited history of standardization of token-based auth, and the limited understanding most users have of the security issues with password storage and plaintext authentication.

Certificate based authentication has a problem that it's inconvenient, even though SSL/TLS is of course a very mature standard.

My impression is most sysadmins know nothing about token-based auth, GSSAPI, SASL, Kerberos, etc, would be words they never heard of, even if they actually manage Windows AD, they never heard of Kerberos.

So... as you can imagine... token-based extensions beyond the base standard for IMAP/POP mail access are not that well known or widely implemented.

Re:Sorry, disagree that SHA/MD5 is a solution

[node+3]

That is a troll. The big problem with the iPhones wasn't that it was storing data in plain text. It was that Apple was collecting the data without the users knowledge. Apple then used doublespeak to make their fanboys believe that no data was being sent back to the mothership.

Absolute rubbish.

1. It was in the EULA. Not hidden or obscured, but out in the open.
2. The data found was a cache of Apple's location database. It never contained your actual location.
3. One of the issues *was* that it was in plaintext. Go to the slashdot article about it and control-f for "stalker" or "police".
4. Apple never claimed (or implied) that data wasn't being sent to them. In fact, they specifically stated that this is exactly what happens.

Re:Sorry, disagree that SHA/MD5 is a solution

[timothyb89]

For the record, TFA is only referring to the Email app (often called Email.apk) which is just a normal app. Unlike Apple's apps it has no special access to system APIs, keychains, or the like. On top of that, it isn't even included on many Android devices. HTC uses their own which could very well handle things differently, and I'm pretty sure other manufacturers do the same. On my CM7 device I don't even use it in favor of the dedicated Gmail app, which seems to take security quite a bit more seriously. Call me crazy for actually reading TFA but an Android dev made a very helpful comment on the situation:

Now, with respect to this particular concern. The first thing to clarify is that the Email app supports four protocols - POP3, IMAP, SMTP, and Exchange ActiveSync - and with very few, very limited exceptions, all of these are older protocols which require that the client present the password to the server on every connection. These protocols require us to retain the password for as long as you wish to use the account on the device. Newer protocols don't do this - this is why some of the articles have been contrasting with Gmail, for example. Newer protocols allow the client to use the password one time to generate a token, save the token, and discard the password.

And as demonstrated by many others here, the keychain is not actually the be-all, end-all solution to the problem, as it either leaves the decryption key elsewhere on the disk, making it useless, or requires the user to constantly enter a password, making it annoying. Android leaves it up to the app to handle passwords (as does iOS in most cases, I believe), and in this case the Email app doesn't really have a choice. Asking the user to enter their keychain password every time the Email app wants to grab new emails would get annoying quickly, and the protocols that it needs to support can't use the more secure token-based systems. Unfortunately there's no other feasible way to do it, and this debate is ignoring the real issue: mail servers that don't support secure authentication.

tl;dr: Article is not about "Android", only one app, and said app doesn't have much of a choice.

Re:Sorry, disagree that SHA/MD5 is a solution

[AlienIntelligence]

I take it that you don't fly very often.

Maybe you should get a phone with an 'aircraft' mode...

Maybe you should trying buying me a phone that does not require being powered off in order to be restarted in flight mode. (Which requires entering your PIN, if you' ve not disabled it). Every mobile phone I've ever owned has worked this way. Including my 2-months-old Samsung Galaxy.

You... are not making any sense. My Droid Incredible has a widget
with an airplane on it. Click it, all radios are killed, unclick it, all radios
are back on.

-AI

Well submitter is clueless...

[Kjella]

SHA and MD5 are hash algorithms, there's no way to recover the actual password from a hash. And since you need the password to log in, that doesn't make the slightest bit of sense. The best they could do is some symmetric encryption with the key hardcoded in the software as security through obscurity.

Re:Well submitter is clueless...

[Mr+Z]

An alternative to security by obscurity would be to have an actual secured device-specific key on the device, and an encryption block that has sole access to that key. I've actually architected products in the past that have such things, and one of the use models was "user's bag of sensitive data", where you could put items in the bag (passwords, credit card #s, etc.) in a secure manner, and only pull them out as needed. You need to be careful with how you handle the information once it's outside the bag, but the main point is if someone takes the bag (the SQLite database, in this instance), it's valueless to an attacker.

The bag itself could be stored encrypted in whatever bulk storage is convenient, with a key that's only physically accessible to the encryption engine. The key is "device specific", meaning each chip gets a random key blasted into it in the factory. You couldn't take the secure bag image from one phone and plop it on another and read it.

Lest this sounds like science fiction, it isn't. The same technology is used and widely deployed for DRM and other such purposes. Heck, TPM does this same stuff. It could be used to protect your passwords, but there isn't as much money or emphasis on implementing that.

Encrypt The Phone

[steevven1]

As a precaution, you can encrypt the entire phone's filesystem. The Droid Pro, for example, offers this feature as a part of the OS. Unfortunately, for this to be fully effective, this means choosing a STRONG (ie long and complex) password with which to unlock the phone each time you want to use it, which may be impractical.

Re:Encrypt The Phone

[growse]

Blackberry's do exactly this. It works well, but a lot of people argue against the convenience. The thing about security controls is that they're rarely convenient, so it's always a trade-off.

Old News

[Pirow]

1. This is almost 1 year old "news".
2. Why does it matter? These passwords are generally transferred in plain text without any sort of encryption anyway (which is another issue, but these old protocols are well known to be insecure without SSL etc.) so if you have access to get to the file in question you have access to sniff out these passwords anyway which is just as simple.
3. Any one way hashing is no solution if you need to transfer the passwords in plain text anyway, what's your POP3 server going to do with a MD5 hash?

Re:Old News

[MobileTatsu-NJG]

Sounds like you're a bit of a sore Apple user...

To somebody that is more objective on the topic, he sounds like somebody who thinks noisy Slashdotters should at least be consistent. The whole 'competition is good' principle falls on its face if one company is held to a different standard than another's.

Re:Old News

[bonch]

I think he made a very good point--that if this wasn't about Android, it would be treated as a big security issue. When it's Android, or more correctly, Linux, there are justifications and excuses made.

Calling him names isn't going to change the validity of the point he made.

Re:Old News

[bonch]

Oh, well, hey, if a major security flaw is almost a year old, it's no longer news!

Why are Android security problems always justified and dismissed on Slashdot? If this was iOS, I suspect your post would be completely different.

MD5 is not encryption

[microbee]

MD5 is a one-way hash, not encryption. You store the password in this form, you cannot go back to the original form.

You need the plain text password for interoperating with the email servers (or whatever services that need password). They may support a different transformation of the password instead of MD5. So there has to be a way to go get the original plain text password.

On the other hand, if you use SHA or other means of encryption, the phone still has to decrypt the password. There are two ways for the phone to get the key:
1. embedded on the phone, maybe generated randomly for each user. Still the key has to come from somewhere, so theoretically it's possible for any malware to find the key and use it.
2. ask for the key or passphrase from the user everytime the phone boots, like Firefox's password manager.

Re:This is RICH

[oobayly]

Yup, as an Android owner and developer I admit I've mocked other manufacturers for their school boy errors. Guess what my reaction was? Something along the lines of "oh for fucks sake, they had better fix this pronto".

That said, my fetchmailrc file on machines contain plain text passwords and rely on only the owner having read rights, so maybe I'm a hypocrite. Any encryption key will have to live on the device, so it'll be interesting to see opinions and suggestions.

No SSL - that's the real problem

[Artem+S.+Tashkinov]

Using public WiFi spots is a much more dangerous issue, since a lot of websites still don't employ SSL encryption of the traffic and your POP3/IMAP/HTTP credentials can be easily eavesdropped.

Like it's mentioned earlier not storing passwords in an open or reverse encryptable form is not possible, since your Android device has to supply plain text password to many Internet servers.

Re:There's useless, and then there is USELESS

[icebraining]

Where did it say that any app can copy it? They can't - it's stored in /data which is off limits to any app, unless you've rooted the phone.

get a clue

[Tom]

I'm sure most would agree encrypted password data in at least SHA or MD5 would be kind of a good idea!"

Yeah, because SHA1 and MD5 are one-way hashes which are just great if you actually, you know, need to know the password so you can tell the mailserver.

When I started reading /., one of the reasons was that the editors had enough of a clue to weed out submissions from people who had not the slightest idea what the fuck they were talking about. At that time, /. stood out from the mainstream publications, who generally didn't employ geeks and the normal journalist had to ask his geek friends about what this "HTML" thing he noticed at the end of every webpage address was.

Please. One thing we really don't need more of is people with half-a-clue meddling in security and giving advise. For us security professionals, the clueless secretary is not our worst enemy. She at least knows she knows nothing and will listen to us. Our worst enemy in the company environment is the self-proclaimed power user who think he knows what he's doing, but is in fact only messing things up. And because he thinks he's smart, he won't listen to the security department.

Now yes, there are better ways than storing the passwords in plain-text. Encrypting them would help. You'd think. But in order to decrypt them, you have to have the key. Which means you have to store it on the phone. Or in other words: Right next to the database.
So encrypting the sqlite data would be the equivalent of having a really good lock on your door, and hanging the keys on a nail right next to it. Anyone who breaks your phone enough to get the sqlite file will also be able to get the key file the same way. All you're doing is making everything more complicated and wasting CPU cycles on pointless crypto.

Re:Beh

[Macthorpe]

I don't think you actually understand anything about the issue. Do you know where the actual passwords on the device are stored? If you look into that, you'll see why further obfuscation is unnecessary. If a user can get access to the folder where these files are stored, they already have enough information to break any remaining encryption on the device.

It's sad that you see this as 'platform-centric hypocrisy' instead of what it is - a non-story dredged from a year old post by an Android engineer that only confirms what other rational people already know.

Re:There's useless, and then there is USELESS

Rooting an Android phone doesn't break the security model either. It's not like apps suddenly run as root by default.

Re:There's useless, and then there is USELESS

[growse]

Apps can't read the database on non-rooted phones. So yes, you need physical access so you can root the phone first to get at the data.

This is how all the hacks occur...

[Eirenarch]

People like the submitter and the ones who filed the bug are the reason hacks occur all the time. They think they know something about security and they've heard that plain text passwords is bad but they have no idea how and why they are bad. These people go and implement "secure" systems that get hacked. Encrypt the password on the same device that has the encryption key and then think it is secure

Re:Didn't imply, stated directly

[icebraining]

No, I did not. The negative of being off limits to any app is not being accessible to all apps.

When you root, it can still be off limits to any app as long as you don't run any app as 'root'. It doesn't break any security model more than having an admin account breaks the security for normal user accounts.

Re:Didn't imply, stated directly

[Barefoot+Monkey]

From the GPP:

it's stored in /data which is off limits to any app, unless you've rooted the phone.

If that's inaccurate start by correcting the person I responded to, not me.

The person to whom you responded is accurate, as far as I know, but "it's stored in /data which is off limits to any app, unless you've rooted the phone." still does not imply that rooting the phone causes /data to cease being off-limits to apps. You're drawing a false conclusion.