from Hacker News

Samsung Galaxy S3 stores passwords in plain text

by jgnatch on 11/13/12, 12:23 AM with 37 comments

  • by SoftwareMaven on 11/13/12, 1:23 AM

    This is a really bad article. I would call it nothing less than fear-mongering. Let's say they decided to encrypt the file. They would have to store that key in plain-text somewhere. Of course, they could encrypt that, but then that key would have to be stored somewhere.

    No matter how they decided to store the password, if somebody has root access to the device, they can find a way to read it. If they can't find a way, the phone won't either, so it won't be able to log you in.

    The only answer is to not let your device store your password. Choose security or convenience, but don't expect both.

    (This is no different than Pidgin storing your passwords in plaintext[1] with the exact same reasons and consequences.)

    1. https://developer.pidgin.im/wiki/PlainTextPasswords

  • by kephra on 11/13/12, 2:27 AM

    > While rooting a Samsung Galaxy S3 only takes about five minutes, the software tools required are uncommon enough that as long as your phone isn’t already rooted you likely don’t have anything to worry about.

    This is plain wrong: Any unrooted Android is insecure, because the exploit to root it is not fixed. The only way to make an Android secure is to root it, to install a newer version, and to upgrade it regular.

    The right way to store passwords would be: Ask for a master password at boot, to start an app, that is managing the password crypt. So far I know, nobody does this. So the 2nd best way is, to install the google play into emulator, and use something like titanium to move applications between emulator and phone.

  • by pygorex on 11/13/12, 1:27 AM

    This is developer sloppiness. Google provides plenty of methods to authenticate users without persisting user credentials to disk. There's no reason an application would need to store your Google login to disk, unencrypted or otherwise.

  • by buster on 11/13/12, 8:26 AM

    Wow.. what a bad title.. As far as i understand it's one application they found called S-Memo which stores passwords as plaintext. The title makes it sound as if all application passwords are stored plaintext somehow.. Wow... I guess i'll just avoid geek.com.

  • by zobzu on 11/13/12, 3:53 AM

    "When you have a rooted Android phone, it’s widely understood that all bets are off as far as vulnerabilities are concerned."

    FUD

  • by unitesting24 on 11/13/12, 8:20 AM

    Maybe they should be added to http://plaintextoffenders.com

  • by barista on 11/13/12, 12:28 AM

  • by jayfuerstenberg on 11/13/12, 1:06 AM

    There is no excuse for openly storing passwords like this. Why does Samsung think this is acceptable?