Security problem with rooted phones?

Discussion in 'Android General Discussions' started by bje1982, Sep 24, 2010.

  1. bje1982

    bje1982 Member

    Joined:
    Mar 31, 2010
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Sorry if this has already been posted. I was playing around with my phone using root explorer and stumbled upon some wierd looking files inside data/data.. including accounts.db, webview.db and a few others that I decided to open in text view and actually found my bank login info was stored on my phone from the browser even tho I cleared cache, history passwords and everything!! Then today I read this: Security bulletin for rooted users: Android passwords stored as clear text | Android Central

    Not trying to start a scare but the security of rooted android phones really worries me. Anyone else have any imput before this gets taken down?
     
  2. Bob Dammit

    Bob Dammit Super Moderator

    Joined:
    Dec 11, 2009
    Messages:
    1,709
    Likes Received:
    17
    Trophy Points:
    68
    Location:
    N 42° 05.183 W 079° 10.914
    Ratings:
    +17
    Everyone forgets that nice android phone is a computer. It has security flaws, and the same security measures you use on your home PC should apply to your phone as well. I see way too many posts about OMG!!11!!111 my replacement keyboard app says it is a key logger. Let that one sink in for a minute. How else is the app going to transpose what you are typing if it is not logging your key presses???? But the same people do their banking on their phones and dont think about it. Im sure the hole will be patched, but the "bad guys" know it exists. Even the "encrypted" data is not safe. How long will it take to break the encryption if you have the ability to change the password on your own phone, and note the changes to your own encrypted data?
    Tokens seem to be the most logical alternative, but even they will be exploited eventually. Its the price you pay for an "open" system.
     
  3. SGTiger

    SGTiger Member

    Joined:
    Nov 9, 2009
    Messages:
    507
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Thanks for the heads up. Just checked my xscope browser with sqlite editor and it shows critical login names and passwords for previous websites that I have logged into in plain text. Ugggh. Checking other apps now...

    Edit:
    Apps I have found so far that display user names and passwords in plain text
    xScope
    Stock Browser
    Remote RDP
     
    #3 SGTiger, Sep 24, 2010
    Last edited: Sep 24, 2010
  4. bje1982

    bje1982 Member

    Joined:
    Mar 31, 2010
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    I guess I should accept the fact that nothing connected to a network is safe not even my Droid :r_c:
     
  5. cupfulloflol

    cupfulloflol Senior Member

    Joined:
    Dec 5, 2009
    Messages:
    1,898
    Likes Received:
    22
    Trophy Points:
    68
    Ratings:
    +23
    The problem isn't that the phone is rooted, the problem is that these files aren't encrypted in some way. If someone knows where to look for these and how to read them, they more than likely could root the phone. So if your phone stumbles into the sinister hands of someone that has a little time, patience, and know how they will be able to root your phone, then get to what they wanted. The only thing they would need would be a cord to plug the phone into a PC.
     
  6. bje1982

    bje1982 Member

    Joined:
    Mar 31, 2010
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    You are correct. But the problem for people who already rooted there phones is now someone doesnt have to get there hands on your phone to look at these files, you could download a "root only" app and when you do you give it permission to access your system therfore you could potentially download an app that in turn steals your passwords and sends them back to the app makeer....

    If you are not rooted any apps you download dont have the proper tools or permissions to look where these files are stored..
     
  7. SGTiger

    SGTiger Member

    Joined:
    Nov 9, 2009
    Messages:
    507
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    The large majority of apps that I checked have the login name and password encrypted. I believe that with a little pressure, the devs of the other apps will take quick action except for perhaps Google and its stock browser. The main one I am concerned with is xScope since I do all my web browsing with it.
     
  8. MD MC

    MD MC New Member

    Joined:
    Aug 20, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    First post, been lurking for months. Just wanted to throw out that I work for a pretty large financial institution, we have just received notification that we can use the Good app, which is a secure way of retrieving emails. One catch though, no rooted phones. I think you will see that alot in the future, when it comes to apps for banks and such
     
  9. SGTiger

    SGTiger Member

    Joined:
    Nov 9, 2009
    Messages:
    507
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    I can see that happening also. However if the phone falls into the wrong hands, it could be rooted after the fact. I think the solution comes down to devs not being lazy and storing plain text in the dbs. I will no longer use an app that does.
     
Search tags for this page
android app to make online banking safe rooted
,
banking rooted phone safe
,
internet banking on the android rooted mobile
,
is it unsafe to use a internet banking on rooted mobile
,
is netbanking safe on rooted phone
,
is online banking safe in rooted device
,
net banking on rooted phones
,

rooting phone security problems

,

using banking apps on rooted phones

,
where are passwords stored on android phone