While some may spend their weekends lounging poolside or at toddler birthday parties, some sit and hack. We're glad in this case, as Cory (our Android Central Forums admin) found something that a good number of us need to be careful about -- in many cases your passwords are stored as plain text in internal databases. We spent a good portion of our Saturday tracking down the issues, scouring Google's code bugs pages, testing various phones running various ROMs, and even calling in the pros for clarification. Hit the break to see what was found, and what you might need to watch for if you've rooted your phone. [
Android Central forums]
And big props to Cory!
To be clear, this only affects rooted users.
It's also a great reason why we stress the extra responsibilities that come with running a rooted OS on your phone. If you haven't rooted, this particular issue won't affect you, but it's still worth reading if only to put your mind at ease that not rooting was the right choice.
Take a moment and read all of our findings,
which Cory has listed out quite nicely right here. I'll summarize: Certain applications, including the stock Froyo (Android 2.2) e-mail client, store your username and password as plain text in the phone's internal accounts database. This includes POP and IMAP mail accounts, as well as Exchange accounts(which could pose a bigger issue if it's also your domain login information). Now before we say the sky is falling, if your phone isn't rooted, no application is able to read this. We even confirmed this with Kevin McHaffey, the Co-Founder and CTO of Lookout --
who is always ready to lend a hand where mobile security is concerned, even on the weekend. Here's his take on the situation:
"The accounts.db file is stored by an android system service to centrally manage account credentials (e.g. usernames and passwords) for applications. By default, the permissions on the accounts database should make the file only accessible (i.e. read + write) to the system user. No third party applications should be able to directly access the file. My understanding is that passwords or authentication tokens are allowed to be stored in plain text because the file is protected by strict permissions. Also, some services (e.g. Gmail) store authentication tokens instead of passwords if the service supports them, minimizing the risk of a user
