Android passwords are stored in plain text

Security on the Android operating system has been dismissed as a joke after a hacker found that it was listing user passwords in plain text.

Hacker News has reported that Android user passwords are stored in plain text on the phone’s harddrive, if you know where to look.

An Android user noticed that a password for email accounts is stored into the SQLite DB which in turn stores it on the phone’s file system in plain text. He suggested that this was daft and Google should be encrypting or at least transforming the password.

Android Support’s Andy Stadler wrote that the problem was caused by the fact that Android Email supports POP3, IMAP, SMTP, and Exchange ActiveSync. All of these require that the software present the password to the server on every connection.

Android has to retain the password for as long as users need to use the account. Newer protocols don’t have this problem. They allow the client to use the password one time to generate a token, save the token, and discard the password, he said.

But he pointed out that obscuring your password or encrypting it with a key stored elsewhere will not make password or data more secure.  It will just be somewhere else.

Stadler implied that other email clients had the same problem. Some pretended they were more secure because they were using obscuring or encryption. However it did not mean that the password was more secure.

If a user can boot up the device and it will begin receiving email on your configured accounts, then the passwords are not truly secure, he said. All the client has done is either obfuscate, or encrypte them with another key stored somewhere else.

He pointed out that if any one can see data from files in /data/data/* on a non-rooted device, there was a security problem in the device, not a bug in the Email program.

Stadler said that he was going to look into the bug and see if there were ways of fixing it.