The brilliant folks over at Rootz Wiki have discovered a major security hole that potentially puts a majority of rooted Android users at risk of having sensitive passwords compromised. The vulnerability only affects those who use the default Android browser to remember their passwords for the websites that they frequent.
Apparently, the stock browser stores the remembered passwords in plain text in an SQL database found at /data/data/com.android.browser/databases/webview.db, in a table named password.
This does not affect the Chrome browser, which actually is the stock browser on newer Nexus devices like the ASUS Nexus 7 or the LG Nexus 4. However, older devices that run AOSP, devices with a manufacturer skin that includes the AOSP browser (or a skinned version of it), or AOSP/AOKP custom ROMs that use the AOSP browser are all potentially at risk. Rooted users are most at risk, since potentially any app that has root access could read these passwords.
AOKP developers are already hard at work on a fix, but in the meantime, our official advice would be to clear all of your browser’s data and then use an alternate browser instead (like Chrome), until a fix is available for your device – either from Google directly, your device’s manufacturer, or a your custom ROM’s developers.
[Rootz Wiki] Thanks, Paul!
Does this affect Sense devices?
Not sure, to be honest. Possibly/probably. In any case, it probably affects CM10 or any other AOSP ROM you might be running.
I’m going to say, probably yes. The Sense web browser is heavily based on the stock Android browser, with some skinning and modifications.
The ironic thing is that a lot of apps store your passwords in plain-text in a database on your internal storage. It’s just sort of annoying when an app from Google also does this.
Are you serious? When a browser (or any other program, for that matter) “remembers” a password, it has to store it somewhere. Plain text or scrambled – doesn’t matter, because the password retrieval has to be reversible. Other than implemeting a master password, there is no way to fix this, and I don’t think many people would like to be constantly prompted for master password.
Also, here is some interesting read: http://lwn.net/Articles/453892/. Note the article’s date – August 2011
plenty of other options available, do it like Chrome does (nothing stored on device, all cloud-based password management)
Do it with a password service that can only retrieve passwords for the app that sent them to it.
Etc…
Way too dangerous to be leaving this on a device that can be lost, backed up to a computer without being rooted, passwords and the websites they go to retrieved using Titanium backup on another device.
Paul, how are stored passwords retrieved from the cloud? There’s gotta be the master password somewhere, right? Suppose the passwords are stored in the cloud under your google account… To retrieve them, you need to log into your account first. If you don’t do it manually, your device does it for you, which means it stores your account password in plain text. Chicken and egg, isn’t it? The guys at Rootz Wiki may be brilliant, but this time they have not discovered anything new.
I’d guess like Twitter does, it would just store an oAuth token as opposed to storing it out in plain text.
I’ll check out how account manager stores info…
Bingo. They use OAuth tokens sent over an encrypted connection, which is better than sending the password to and fro ad nauseum.
It’s probably the best way to do it. Like you said, having passwords stored on the device, in plain-text, makes them easy prey. A lot of the apps I use encrypt them, so I simply have to enter a master key to decrypt them. That’s a good method too because nothing is stored that is unencrypted.
Here is the bug report: https://code.google.com/p/android/issues/detail?id=52895.
Status: WorkingAsIntended
Read the discussion over there – plenty of explanation why it works this way. If you have an idea how to fix an unfixable problem, comment there.
I don’t know specifics about chrome for android, but on the desktop I believe Chrome actually keeps passwords in plain text, and if not they are easily accessible through the browser settings, displayed with website names. As a result, I never have any browsers save my passwords, just to be safe.
I assume this probably affects AOSP browsers all the way back to the beginning, not just Android 4.x. My wife uses CM7.2 on her OG EVO 4G, but I don’t think she stores any of the passwords (she enters them each time).
Sad thing is, Google is probably never going to issue an update to anything prior to ICS to fix this. Can you see them making an Android 2.3.8 to fix the browser at this point? Neither can I. The best course of action, I suppose, is for her to use a third party alternative like Dolphin browser.