Rooted Android users login credentials stored as plain text and easily accessible

Android passwords saved as plain text on rooted phones
Android passwords saved as plain text on rooted phones

Feeling a little weary of rooting your Android device? Well, if you’re on the fence about whether or not you should give the green light to giving your phone root access, you may want to think twice. It looks like after your phone is rooted, passwords are saved into the system files as plain text, accessible to anyone who knows where to look.

It goes like this: If you have a unrooted Android phone, applications aren’t allowed to read the databases of other applications, plain and simple. Rooting your device, or giving applications root access can change all of that. While you can find the passwords within the phone with a file manager with root access, the real potential threat is if someone were to create an application to automatically pull these out of your phone and send it back to the malware creator.

So why doesn’t Google have this very sensitive information encrypted? Well, for starters, they don’t necessarily want you to root your phone at all. Sure, Android is open, and you should be able to do what you want with it, but Google going out of their way to cover the ass of someone who has broken a rule (of sorts) seems unlikely. That’s not to say this won’t eventually happen, as someone has posted this on the Android issues page.

AndroidCentral did their homework and reached out to Kevin McHaffey, Co-Founder and CTO of Lookout, and here’s what he had to say about the  situation,

The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third-party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.

It would be very dangerous for third-party applications to be able to read this file, which is why it’s very important to be careful when installing applications that require root access. I think it’s important for all users who root their phones to understand that apps running as root have *full* access to your phone, including your account information.

If the accounts database were to be accessible to non-system users (e.g. user or group ownership of the file something other than “system” or world read privileges on the file) it would be a large security vulnerability.

A little technical for you? That’s fine, just know that if you’re thinking about downloading an application that needs root access to run, be careful. That app could just be looking to scour your passwords and send them back to the creator.

Will this stop the majority users that are considering rooting their Android smartphone? Maybe, but as long as there is a way to root your phone people will do it, it’s just so easy these days. Just be careful as to what you’re downloading.

[Via: AndroidCentral]

  • http://twitter.com/mghtyred @mghtyred

    ” Well, for starters, they don’t necessarily want you to root your phone at all. ” Really? then why did Google release the N1 already rooted? Seems funny if Google doesn’t want you to root, you’d think they would not release a phone designed for that purpose.

    What’s next, the carriers? Well, I can’t speak for all of them, but I know while T-Mobile doesn’t come out and say “Hey go ahead and root your phone” they do offer a forum on their site that provides instructions for rooting and flashing custom ROMS. (Full disclosure: I am a T-Mobile forum moderator)

    Honestly, if this is a real security threat, I would be surprised if the Android Development Team did nothing about it. More likely than not, some sort of security patch will be included in Gingerbread.

    • Blake

      The Nexus One is a development phone.. It provides DEVELOPERS root access to allow them to DEVELOP for Android.

      If T-Mobile would come out and say, “Hey root your phone!” I don’t think Google would be too happy about that, and would likely tell them to retract the statement. It’s cool they allow the instructions. but.. who goes to the T-Mobile forums? XDA is where it’s at.

      If the security threat is real, the Android development team doesn’t have to do shit. Root users assume all of the responsibility. Get it right.

      • http://www.jaduncan.com jaduncan

        “The Nexus One is a development phone.. It provides DEVELOPERS root access to allow them to DEVELOP for Android.”

        No, no, no. The Nexus was sold directly to consumers, is still available on various worldwide carriers (example: Vodafone UK, direct to consumers) and is now sold by Google to developers because it is *also* good for development. It is not the ADP2, and the fact that it is widely used is a side-effect of it being open, not the other way round.

  • http://AppSmasher.com AppSmasher

    “but Google going out of their way to cover the ass of someone who has broken a rule (of sorts) seems unlikely.”

    It seems like it should be a concern of Google because the public perception in the media that Android is not secure won’t help them. Even if the security flaw occurs after someone deliberately roots their phone, it’s just another article saying that Android isn’t secure.

    Plus, how difficult would it be to encrypt that information?

  • Tommy Subway

    If you are concerned with security you never save your passwords anyway. Being a root user is worth any risk. You can’t put a price on free wifi hotspot and being able to remove all of the phone company’s bloatware from your phone. Changing your boot animation and making your phone boot silently are also nice. Why worry about your phone when your PC is probably a bigger target. And if you are worried about your PC and phone, I hope you are guarding your mailbox at home because stealing mail is one of the easiest ways to steal information. You are never really safe anywhere.

Back to top ▴