

Why passwords should not be stored on a mobile device - _ares__
http://mobilesecurityares.blogspot.com/2014/12/why-passwords-should-not-be-stored-on.html

======
_ares__
As I published two month ago an analysis about Samsung Knox
([http://mobilesecurityares.blogspot.de/2014/10/why-samsung-
kn...](http://mobilesecurityares.blogspot.de/2014/10/why-samsung-knox-isnt-
really-fort-knox.html)) I thought it is time to write a short article about
passwords in general on mobile devices.

~~~
higherpurpose
Since 4.4 Android uses the Enforced Mode of SELinux, which should limit some
privileges. Can the root user still have access to the passwords in this
situation?

~~~
_ares__
Android introduced SELinux with version 4.3. There it was really permissive,
since version 5.0 Android moved to full enforcement of SELinux. Yes this will
help to prevent it a bit, but it's not a "jack of all trades". There are still
proccess which are running as root and can be exploited, thus circumventing
the SELinux rules, like the core ‘Zygote’ service. "Zygote is one of the only
services available on Android L, which is started as root within the
unrestricted “init” SELinux context." ([http://www.xda-
developers.com/android/supersu-beta-lollipop-...](http://www.xda-
developers.com/android/supersu-beta-lollipop-root-stock-kernel/))

Regards,

Ares

