KitGuru KitGuru.net – Tech News | Hardware News | Hardware Reviews | IOS | Mobile | Gaming | Graphics Cards
The Android Operating system is coming under fire after a hacker published a report showing that passwords were just listed as plain text.
Well known publication HackerNews has highlighted that Android passwords are not stored securely and are easily accessible from the phone, if you know what area to look at.
After some poking about, it appears that the email accounts password is stored in the SQLite DB which then saves it into the phones file system in ordinary text. It has raised a point as to why Google haven't decided to encrypt the text for security reasons.
Andy Stadler, a member of the Android Support team said that the problem is due to Android email supporting IMAP, POP3, SMTP and Exchance ActiveSync. These all demand that the software shows the password to the server every time it connects.
He says “The first thing to clarify is that the Email app supports four protocols – POP3, IMAP, SMTP, and Exchange ActiveSync – and with very few, very limited exceptions, all of these are older protocols which require that the client present the password to the server on every connection. These protocols require us to retain the password for as long as you wish to use the account on the device. Newer protocols don't do this – this is why some of the articles have been contrasting with Gmail, for example. Newer protocols allow the client to use the password one time to generate a token, save the token, and discard the password.”
He also said that encrypting passwords with a key stored somewhere else won't make it more secure. He said that other email clients also had the same problem.
He added “In particular, some claims have been made about some of the other email clients not storing the password in cleartext. Even where this is true, it does not indicate that the password is more secure. A simple test: if you can boot up the device and it will begin receiving email on your configured accounts, then the passwords are not truly secure. They are either obfuscated, or encrypted with another key stored somewhere else.”
Kitguru says: While Stadler debated the security issues he did end with a comment saying he would look into ways of making the data more secure. Perhaps some good will come from the exposure.
