
Samsung Galaxy S3 stores passwords in plain text  - jgnatch
http://www.geek.com/articles/mobile/samsung-galaxy-s3-stores-passwords-in-plain-text-20121112/
======
SoftwareMaven
This is a really bad article. I would call it nothing less than fear-
mongering. Let's say they decided to encrypt the file. They would have to
store that key in plain-text somewhere. Of course, they could encrypt that,
but then _that_ key would have to be stored somewhere.

No matter how they decided to store the password, if somebody has root access
to the device, they can find a way to read it. If they can't find a way, the
phone won't either, so it won't be able to log you in.

The only answer is to not let your device store your password. Choose security
or convenience, but don't expect both.

(This is no different than Pidgin storing your passwords in plaintext[1] with
the exact same reasons and consequences.)

1\. <https://developer.pidgin.im/wiki/PlainTextPasswords>

~~~
smegel
> They would have to store that key in plain-text somewhere.

Is this really true? Could not the device manufacturer store embed the key in
silicon somehow, perhaps in EEPROM or similar?

~~~
digeridoo
Honestly, that never happens.

~~~
dfox
Ever it that would happen it would not help in this situation anyway. The
application simply needs to be able to access that data.

We had built some devices that did encrypt they local stores and used keys
burned into separate silicon (really, keys derived from multistep mutual
authentication with that silicon), but the attack model was that attacker
would not possess both parts of device at once (as the key-containing part was
able to be located in different part of the building from rest of the device,
was reasonably tamper-proof and detected movement).

------
kephra
> While rooting a Samsung Galaxy S3 only takes about five minutes, the
> software tools required are uncommon enough that as long as your phone isn’t
> already rooted you likely don’t have anything to worry about.

This is plain wrong: Any unrooted Android is insecure, because the exploit to
root it is not fixed. The only way to make an Android secure is to root it, to
install a newer version, and to upgrade it regular.

The right way to store passwords would be: Ask for a master password at boot,
to start an app, that is managing the password crypt. So far I know, nobody
does this. So the 2nd best way is, to install the google play into emulator,
and use something like titanium to move applications between emulator and
phone.

------
pygorex
This is developer sloppiness. Google provides plenty of methods to
authenticate users without persisting user credentials to disk. There's no
reason an application would need to store your Google login to disk,
unencrypted or otherwise.

~~~
archivator
As someone on Reddit pointed out, the minimal API version of the app is 4,
which corresponds to Android 1.6, which, incidentally, does not have the
AccountManager infrastructure.

I guess that's a good reason to implement credentials storage, don't you?

P.S. AccountManager stores your passwords and tokens unencrypted in a database
as well.

------
buster
Wow.. what a bad title.. As far as i understand it's one application they
found called S-Memo which stores passwords as plaintext. The title makes it
sound as if all application passwords are stored plaintext somehow.. Wow... I
guess i'll just avoid geek.com.

------
zobzu
"When you have a rooted Android phone, it’s widely understood that all bets
are off as far as vulnerabilities are concerned."

FUD

------
unitesting24
Maybe they should be added to <http://plaintextoffenders.com>

------
barista
This thread has more details:

<http://forum.xda-developers.com/showthread.php?t=1983672>

------
jayfuerstenberg
There is no excuse for openly storing passwords like this. Why does Samsung
think this is acceptable?

~~~
yuliyp
Why is storing them encrypted locally any better? Someone with root has access
to the decryption keys anyway.

~~~
aristidb
It isn't. Storing passwords on a mobile device, unencrypted or encrypted, is
just wrong.

Fortunately authenticating with Google services requires neither.

~~~
bigiain
The problem is, I want my phone to be able to authenticate with way more than
just Google services.

And I want it to be able to do that in a way which doesn't require me to
remember several dozen secure-against-2012-vintage-password-cracking-
techniques.

I _know_ that sometime in the next year or two we'll see another password leak
like, say, LinkedIn's recent one - so I know I need to use 12+ "upper, lower,
number, and 'special'" character non-dictionary passwords to ensure I'm not
trivially exposed by rainbow tables or gpu crackers.

A quick count on my phone just now, there's at least 33 different services my
phone "remembers" it's login for. Some of them use OAuth-style authentication
(Twitter and Flickr, for example), and some (Google, Facebook, and Amazon) are
3 factor auth protected (but, against a rooted phone that wouldn't help much,
since I'm using the Google Authenticator app to generate the auth tokens, if
my phone were under someone elses control they could watch me using and
unlocking the authenticator app...)

But there are still dozens of services - email accounts, websites, web service
backed apps - that require the phone to have access to the cleartext password,
either from me remembering it and typing it in, or from it's own storage
mechanisms - secure or not.

My phone would be _remarkably_ less useful to me if it didn't store passwords,
or only worked with services that didn't require password storage.

