Feeling a little weary of rooting your Android device? Well, if you’re on the fence about whether or not you should give the green light to giving your phone root access, you may want to think twice. It looks like after your phone is rooted, passwords are saved into the system files as plain text, accessible to anyone who knows where to look.
It goes like this: If you have a unrooted Android phone, applications aren’t allowed to read the databases of other applications, plain and simple. Rooting your device, or giving applications root access can change all of that. While you can find the passwords within the phone with a file manager with root access, the real potential threat is if someone were to create an application to automatically pull these out of your phone and send it back to the malware creator.
So why doesn’t Google have this very sensitive information encrypted? Well, for starters, they don’t necessarily want you to root your phone at all. Sure, Android is open, and you should be able to do what you want with it, but Google going out of their way to cover the ass of someone who has broken a rule (of sorts) seems unlikely. That’s not to say this won’t eventually happen, as someone has posted this on the Android issues page.
AndroidCentral did their homework and reached out to Kevin McHaffey, Co-Founder and CTO of Lookout, and here’s what he had to say about the situation,
The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third-party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user’s password being compromised.
It would be very dangerous for third-party applications to be able to read this file, which is why it’s very important to be careful when installing applications that require root access. I think it’s important for all users who root their phones to understand that apps running as root have *full* access to your phone, including your account information.
If the accounts database were to be accessible to non-system users (e.g. user or group ownership of the file something other than “system” or world read privileges on the file) it would be a large security vulnerability.
A little technical for you? That’s fine, just know that if you’re thinking about downloading an application that needs root access to run, be careful. That app could just be looking to scour your passwords and send them back to the creator.
Will this stop the majority users that are considering rooting their Android smartphone? Maybe, but as long as there is a way to root your phone people will do it, it’s just so easy these days. Just be careful as to what you’re downloading.