Security problem with rooted phones?

[bje1982]

Sorry if this has already been posted. I was playing around with my phone using root explorer and stumbled upon some wierd looking files inside data/data.. including accounts.db, webview.db and a few others that I decided to open in text view and actually found my bank login info was stored on my phone from the browser even tho I cleared cache, history passwords and everything!! Then today I read this: Security bulletin for rooted users: Android passwords stored as clear text | Android Central

Not trying to start a scare but the security of rooted android phones really worries me. Anyone else have any imput before this gets taken down?

 

[Bob Dammit]

Everyone forgets that nice android phone is a computer. It has security flaws, and the same security measures you use on your home PC should apply to your phone as well. I see way too many posts about OMG!!11!!111 my replacement keyboard app says it is a key logger. Let that one sink in for a minute. How else is the app going to transpose what you are typing if it is not logging your key presses???? But the same people do their banking on their phones and dont think about it. Im sure the hole will be patched, but the "bad guys" know it exists. Even the "encrypted" data is not safe. How long will it take to break the encryption if you have the ability to change the password on your own phone, and note the changes to your own encrypted data?
Tokens seem to be the most logical alternative, but even they will be exploited eventually. Its the price you pay for an "open" system.

 

[SGTiger]

Not trying to start a scare but the security of rooted android phones really worries me. Anyone else have any imput before this gets taken down?

Thanks for the heads up. Just checked my xscope browser with sqlite editor and it shows critical login names and passwords for previous websites that I have logged into in plain text. Ugggh. Checking other apps now...

Edit:
Apps I have found so far that display user names and passwords in plain text
xScope
Stock Browser
Remote RDP

 

[bje1982]

I guess I should accept the fact that nothing connected to a network is safe not even my Droid :r_c:

 

[cupfulloflol]

The problem isn't that the phone is rooted, the problem is that these files aren't encrypted in some way. If someone knows where to look for these and how to read them, they more than likely could root the phone. So if your phone stumbles into the sinister hands of someone that has a little time, patience, and know how they will be able to root your phone, then get to what they wanted. The only thing they would need would be a cord to plug the phone into a PC.

 

[bje1982]

The problem isn't that the phone is rooted, the problem is that these files aren't encrypted in some way. If someone knows where to look for these and how to read them, they more than likely could root the phone. So if your phone stumbles into the sinister hands of someone that has a little time, patience, and know how they will be able to root your phone, then get to what they wanted. The only thing they would need would be a cord to plug the phone into a PC.

You are correct. But the problem for people who already rooted there phones is now someone doesnt have to get there hands on your phone to look at these files, you could download a "root only" app and when you do you give it permission to access your system therfore you could potentially download an app that in turn steals your passwords and sends them back to the app makeer....

If you are not rooted any apps you download dont have the proper tools or permissions to look where these files are stored..

 

[SGTiger]

The problem isn't that the phone is rooted, the problem is that these files aren't encrypted in some way. If someone knows where to look for these and how to read them, they more than likely could root the phone. So if your phone stumbles into the sinister hands of someone that has a little time, patience, and know how they will be able to root your phone, then get to what they wanted. The only thing they would need would be a cord to plug the phone into a PC.

You are correct. But the problem for people who already rooted there phones is now someone doesnt have to get there hands on your phone to look at these files, you could download a "root only" app and when you do you give it permission to access your system therfore you could potentially download an app that in turn steals your passwords and sends them back to the app makeer....

If you are not rooted any apps you download dont have the proper tools or permissions to look where these files are stored..

The large majority of apps that I checked have the login name and password encrypted. I believe that with a little pressure, the devs of the other apps will take quick action except for perhaps Google and its stock browser. The main one I am concerned with is xScope since I do all my web browsing with it.

 

[MD MC]

First post, been lurking for months. Just wanted to throw out that I work for a pretty large financial institution, we have just received notification that we can use the Good app, which is a secure way of retrieving emails. One catch though, no rooted phones. I think you will see that alot in the future, when it comes to apps for banks and such

 

[SGTiger]

First post, been lurking for months. Just wanted to throw out that I work for a pretty large financial institution, we have just received notification that we can use the Good app, which is a secure way of retrieving emails. One catch though, no rooted phones. I think you will see that alot in the future, when it comes to apps for banks and such

I can see that happening also. However if the phone falls into the wrong hands, it could be rooted after the fact. I think the solution comes down to devs not being lazy and storing plain text in the dbs. I will no longer use an app that does.

 

[badkinson5459]

My phone has the a / b slot that is pretty standard nowadays. If I have one slot rooted and the other not and mostly stay on the non rooted slot will this improve security?