Rooted devices can expose your Google credentials, as proven by Samsung S-Memo database flaw

by: J. Angelo RacomaNovember 13, 2012

Rooting your device has many benefits, including access to OS and firmware features that are otherwise inaccessible by regular apps. Rooting enables you to access hidden areas of the file system, control the CPU, tweak network settings, access Google Play from restricted devices, and more. But there’s also one thing that rooting enables: access to supposedly secure data.

The XDA Developers forum is known for its mobile development exploits, and community members usually publish their custom ROMs, tweaks and other tips. But a developer has noticed something that might be alarming to Android users in general. Rooting your device can potentially expose access credentials, which should otherwise have been hidden and inaccessible.

In particular, XDA forum moderator Graffixync says he was quite surprised to see his Google credentials stored in plain text in the Samsung S-Memo database.

I was poking around the S-memo databases when I opened a table using SQLIte editior. When I opened the table I was shocked to see my Google account username and password in clear plain text.

This may not necessarily hold true for all Android devices, as Graffixync says it’s likely a Jelly Bean specific issue. If you’d like to replicate the potential flaw, you can do if you have a rooted Samsung device, and if you have SQLite editor installed.

  • Setup S-Memo to sync with your Google account
  • Navigate to /data/data/ using SQLite
  • Open Pen_memo.db and look for the CommonSettings table.

If your device is affected with this potential vulnerability, then you should see your Google username and password in plain text.

Is this a flaw or is this normal with a rooted device?

Now the argument here is that with the act of rooting your device in the first place, your apps should have access to areas of the filesystem that are not otherwise accessible. As such, through rooting, the developer in this case was able to access the data through SQLite editor.

However, another argument here is that the username and password were stored in plain text and not encrypted. As such, any app that has access to root credentials would be able to retrieve this data. If the username and password were hashed, then it would be harmless even if an app could retrieve them. Is this a Samsung-specific flaw, then? Perhaps the developers of S-Memo forgot to ensure that user credentials would be encrypted.

Either way, this exploit illustrates the danger with rooting your device. For instance, side-loaded apps that ask for root permissions may potentially be retrieving user credentials from your app databases. Even apps from Google Play have the potential to do this if left unchecked.

Responsible Android device users should be more vigilant. Be careful what apps you give root permissions to.

  • Hi! If you use “2-step verification” password, than S Note save only the app generated key only. It doesn’t accept the default password, it immediately asks the app key only.
    So the “2-step verification” password is add safety…

  • Ramiro Fernandez

    Just a note on password encryption/hashing…

    It’s not actually so easy to pull off. Firstly, hashing the password is useless in this instance, since s-memo actually needs the password in clear in order to provide it to Google. A hashed password cannot be retrieved, so can’t be used. Password chasing is only valid for password verification.

    For the same reason, password encryption is just as ineffective, in order to be able to actually retrieve the password, the decryption key needs to be stored as well, and there’s no better place to store that. The best that password encryption will do in this case is obfuscate the password, once the method is known then it’s trivial to recover the password, and it’s not hard to work out the method for a determined attacker.

    So hiding this is perhaps not quite so easy as you think, it’s not a solved problem. There are many flawed implementations, in effect, they are all flawed. What Samsung should be doing though, is using the global Google credential and allowing android to manage the account, not rolling their own solution. I’m not sure how well it’s handled in android, but trust me, if you have access to the account data, you can compromise the account in 100% of cases.

    • Ramiro Fernandez

      Just thought I’d add that usually session persistence is done by storing a session token rather than a password. If this is compromised, only the session is compromised, which can be fixed by logging out, or detected by looking for simultaneous sessions from different IP addresses. But compromise of this still allows access to your account, so in reality it’s not so much better than having the password in the clear.

      Don’t get me wrong, the Samsung implementation still sucks, just maybe not as much as you fist think :-)

  • raindog469

    Any of us who run email programs on our laptops that don’t pop up a username and password prompt every time they check our mail have this vulnerability, too. Windows, Mac, Linux, doesn’t matter, and on those platforms, every app installed outside of your home/profile folder has access to everything.

    Wanna explain why this hasn’t been considered a “vulnerability” for the last 20 years, but now that we have phones that can run apps and are crippled by default by their manufacturers, it’s suddenly a “vulnerability’ to un-cripple them?