

Android AOSP Browser stores passwords in plain text - JBirdVegas
https://code.google.com/p/android/issues/detail?id=52895

======
octix
I'm not a security expert, but I wonder how will it help if passwords will be
stored encrypted? I mean if someone steals my phone, he'll be able to decrypt
it anyway, right? Since physical device is his hands with keys and everything
and not just some database dump.

This also reminds me about pidgin, which does the same thing... just saying.

~~~
JBirdVegas
Pidgin is one account, assuming passwords are only used once (crazy I know).
The browser however has the potential to store all your accounts usernames and
passwords.

If the device is rooted a malicious app could simply copy the webview.db and
send off your usernames / passwords. Encryption would at least stop anyone who
didn't want to brute force a db. I'm not saying it is impossible but that
doesn't mean plain text is the right answer.

~~~
vetinari
If you granted the root permissions to a malicious app, you've got much bigger
problems than cleartext passwords in private file.

If you didn't grant the root permissions to a malicious app, why do you care,
how it is stored? No other app can access it anyway and any obfuscation would
be good only for complexity's sake.

~~~
yareally
I would be more worried about a malicious app taking advantage of an exploit
to compromise your phone and then reading your passwords without root having
root before on your device or without it asking for root permissions. There
are known ways out there to get root access without actually unlocking via
exploits.

~~~
vetinari
Exploits can be used to privilege escalation on all platforms, that's not
Android specific thing.

Adding to that, Android vendors are not that bad in fixing exploits. I had two
devices (Sony phone and Asus tablet) that were always fixed before the exploit
got widely known. I could not root them (yes, I wanted to do it without
unlocking) if I updated as soon as the updates were available.

With SEAndroid getting into stock Android, even that is going to be a thing of
past.

