The Android Operating system is coming under fire after a hacker published a report showing that passwords were just listed as plain text.
Well known publication HackerNews has highlighted that Android passwords are not stored securely and are easily accessible from the phone, if you know what area to look at.
After some poking about, it appears that the email accounts password is stored in the SQLite DB which then saves it into the phones file system in ordinary text. It has raised a point as to why Google haven't decided to encrypt the text for security reasons.
Andy Stadler, a member of the Android Support team said that the problem is due to Android email supporting IMAP, POP3, SMTP and Exchance ActiveSync. These all demand that the software shows the password to the server every time it connects.
He says “The first thing to clarify is that the Email app supports four protocols – POP3, IMAP, SMTP, and Exchange ActiveSync – and with very few, very limited exceptions, all of these are older protocols which require that the client present the password to the server on every connection. These protocols require us to retain the password for as long as you wish to use the account on the device. Newer protocols don't do this – this is why some of the articles have been contrasting with Gmail, for example. Newer protocols allow the client to use the password one time to generate a token, save the token, and discard the password.”
He also said that encrypting passwords with a key stored somewhere else won't make it more secure. He said that other email clients also had the same problem.
He added “In particular, some claims have been made about some of the other email clients not storing the password in cleartext. Even where this is true, it does not indicate that the password is more secure. A simple test: if you can boot up the device and it will begin receiving email on your configured accounts, then the passwords are not truly secure. They are either obfuscated, or encrypted with another key stored somewhere else.”
Kitguru says: While Stadler debated the security issues he did end with a comment saying he would look into ways of making the data more secure. Perhaps some good will come from the exposure.
It raises more questions than answers. seems its not just google who do this.
Very dodgy
Nothing is dodgy here. There is no magic.
If you phone asks no password at bootup your password is in clear or an equivalent of clear text. That is all there is.
If it asks for a password, then it is kept in memory (it can even be tied to your PIN although the PIN password ain’t that great – the iPhone does that for a lot of stuff)
Technically SOME email apps COULD store the hash when the opposite server supports them for login. But still, while you wouldn’t have the clear password, those are easy to crack, and even uncracked, you can still use them for login too.