Comments on: Samsung S-Memo Security Flaw Reminds Us of the Dangers of Rooting a Device

By: jdrch

jdrch — Tue, 13 Nov 2012 15:24:00 +0000

Quite a few social networking webapps

By: someone

someone — Tue, 13 Nov 2012 08:00:00 +0000

What a non issue. Service that requires automated gmail password stores it in plain text.

Next you’ll be telling me that your IMAP or POP mail password stored in k9 or other mail clients are stored in plain text too (they are, or they have an easily reversible encryption).

Not even OAuth could save the day because with root access, one would simply intercept the authentication token. Root isn’t bad. You just have to take care of it, as people have been saying all along.

By: VZWIndirect

VZWIndirect — Tue, 13 Nov 2012 04:35:00 +0000

I hate to say it, but I would freakin love it, if this worked on every device. One the biggest pain the arse’s I have is customers that have forgotten their G-Mail password, and blew through the set up, skipping all the unimportant stuff like secret question answers and recovery e-mails.

Have you ever tried to recover a lost G-Mail password without these? It would be easier to hack into the Pentagon.

By: Name

Name — Tue, 13 Nov 2012 01:42:00 +0000

You mean something like the Google Voice app? That’s not 3rd party, but who else needs Google credentials?? Unless you mean some 3rd party Twitter like app that requires your Twitter login info??

By: Jacob Davis

Jacob Davis — Mon, 12 Nov 2012 21:18:00 +0000

Shouldn’t be storing the password in any manner. Not in this case.

By: Simon Belmont

Simon Belmont — Mon, 12 Nov 2012 21:13:00 +0000

Yes. So the moral of the story is to be careful what apps you allow root access.

Do research and don’t just sideload any old app that can use root. You know, common sense stuff.

By: Mr E

Mr E — Mon, 12 Nov 2012 21:10:00 +0000

yep

By: Nate Davidson

Nate Davidson — Mon, 12 Nov 2012 21:09:00 +0000

Galaxy S3 has S-Memo?

By: Mike Kusold

Mike Kusold — Mon, 12 Nov 2012 21:07:00 +0000

This is not the solution. Because the app needs to be able to decrypt the password in order to log you in to Google’s services, any one would also be able to decrypt it once they found out the passphrase that Samsung uses (which would be hard coded into the app and trivial to get).

Hashing and Salting your password works well on websites because the website never needs to know how to decrypt your password. They simply take the password that you are attempting to log in with, then they hash it and see if the resulting hash matches the password they have stored in their database.

The real solution here is to use OAuth.

By: Will P

Will P — Mon, 12 Nov 2012 21:06:00 +0000

You don’t have to have S-Memo installed for your passwords to be stored in plaintext. There are multiple databases in which stock android stores plaintext passwords that are only accessible if you’re rooted.

By: burntcookie90

burntcookie90 — Mon, 12 Nov 2012 21:05:00 +0000

Why store password, everything should be OAuth.

By: NastyEmu

NastyEmu — Mon, 12 Nov 2012 21:03:00 +0000

I’ve never minded having to add application specific passwords, although if those are also viewable in plaintext via S-memo then two-factor isn’t going to give you much protection

Edit: Nevermind, I don’t think we are talking about the same thing. What 3rd-party services do you use Google credentials for?

By: Luis Reich

Luis Reich — Mon, 12 Nov 2012 21:02:00 +0000

Blah blah blah… Rooting is evil… Yeah…

By: jdrch

jdrch — Mon, 12 Nov 2012 21:00:00 +0000

That’s a major PITA if you use multiple 3rd party services with your Google credentials

By: sr_erick

sr_erick — Mon, 12 Nov 2012 21:00:00 +0000

Who the hell stores passwords in plain text and calls themselves a developer? Bad, bad, bad.