Share this Story

Samsung S-Memo Security Flaw Reminds Us of the Dangers of Rooting a Device

A cautionary tale for you on this Monday, brought to you from XDA. A user was looking through his rooted Galaxy S3 system files the other day and decided to open up the S-Memo database in SQLlte. I’m not sure what he was looking for, but one thing he was surprised to find was that the application stored his Google password in plaintext, no encryption of any kind.

Now, before you go looking for S-Memo to uninstall, developers have responded to the thread saying that he only had access to that database because his device was rooted. However, if a malicious application was allowed root privileges it could conceivably gain access to the same place where that password was stored. Not an immediate risk for any rooted S3 users, but let this be a warning: be careful what applications you give root-access to.

Via: XDA

  • someone

    What a non issue. Service that requires automated gmail password stores it in plain text.

    Next you’ll be telling me that your IMAP or POP mail password stored in k9 or other mail clients are stored in plain text too (they are, or they have an easily reversible encryption).

    Not even OAuth could save the day because with root access, one would simply intercept the authentication token. Root isn’t bad. You just have to take care of it, as people have been saying all along.

  • VZWIndirect

    I hate to say it, but I would freakin love it, if this worked on every device. One the biggest pain the arse’s I have is customers that have forgotten their G-Mail password, and blew through the set up, skipping all the unimportant stuff like secret question answers and recovery e-mails.

    Have you ever tried to recover a lost G-Mail password without these? It would be easier to hack into the Pentagon.

  • Simon Belmont

    Yes. So the moral of the story is to be careful what apps you allow root access.

    Do research and don’t just sideload any old app that can use root. You know, common sense stuff.

  • Nate Davidson

    Galaxy S3 has S-Memo?

  • You don’t have to have S-Memo installed for your passwords to be stored in plaintext. There are multiple databases in which stock android stores plaintext passwords that are only accessible if you’re rooted.

  • Blah blah blah… Rooting is evil… Yeah…

  • sr_erick

    Who the hell stores passwords in plain text and calls themselves a developer? Bad, bad, bad.

  • NastyEmu

    I guess everyone should go enable two-factor authentication on their google accounts if they haven’t already.

    • That’s a major PITA if you use multiple 3rd party services with your Google credentials

      • NastyEmu

        I’ve never minded having to add application specific passwords, although if those are also viewable in plaintext via S-memo then two-factor isn’t going to give you much protection

        Edit: Nevermind, I don’t think we are talking about the same thing. What 3rd-party services do you use Google credentials for?

        • Quite a few social networking webapps

      • Name

        You mean something like the Google Voice app? That’s not 3rd party, but who else needs Google credentials?? Unless you mean some 3rd party Twitter like app that requires your Twitter login info??

  • chikpee

    OR developers could finally learn to hash passwords properly when storing them

    • summit1986

      I did think their response was awfully fruity… “There is only a security risk because your phone is jailbr….errr… rooted. Nothing to see here…”

    • Yes. Lets blame root not our bad programming.

    • burntcookie90

      Why store password, everything should be OAuth.

    • This is not the solution. Because the app needs to be able to decrypt the password in order to log you in to Google’s services, any one would also be able to decrypt it once they found out the passphrase that Samsung uses (which would be hard coded into the app and trivial to get).

      Hashing and Salting your password works well on websites because the website never needs to know how to decrypt your password. They simply take the password that you are attempting to log in with, then they hash it and see if the resulting hash matches the password they have stored in their database.

      The real solution here is to use OAuth.

    • Shouldn’t be storing the password in any manner. Not in this case.