Android JB 4.2+ Exchange plain text password bug


The default email client in android jelly ban 4.2+ seems to store the Exchange account password in plain text, It's not storing the cipher text of the password.  In general the account information's are stored in the accounts .db file under /data/system/users/0/. The accounts.db file can be accessed via the sqllite editor or default android viewer


In the accounts.db file there is a account table under which the following fields are stored [id, name, type, password].

FYI... the accounts.db file can be accessed only on rooted android. So people who have rooted their mobile should be careful in granting root access to the apps.(refer here ). 

To verify which applications are revealing the user passwords, I have logged in to the widely used clients Gmail App, Android default email client,  Facebook App, Whats app, Skype, Dropbox, Outlook.com App and Verizon app from Google Nexus 4 with Jellybean 4.2.2. 
  • The Gmail App generally stores the app specific authentication token (2 - form authentication)
  •  Skype and verizon stores the ciper text in the accounts.db file.
  • Outlook.com,Whatsapp and facebook doesn't store any.


To verify the exchange bug in Android default email client I created a temporary fake email "androidexchangebug@outlook.com" with password "ItsExchangePwd1", and logged in to it via the default email client and outlook.com app.

As you can see below the default Android email client (com.android.exchange) stores the password as plain text without any encryption. The outlook app (com.outlook.Z7.eas) doesn't store any password in accounts.db file.



       

The android bugs can be reported via the information mentioned here. I have reported the bug to google via security@android.com



Anonymous Tehnology geek

Sole blogger :(

No comments:

Post a Comment