XDA developers discover S Memo saves passwords in plain text

November 12, 2012
2

If you use S Memo and happen to have a rooted device, you might want to pay attention to this next bit of news: one XDA Developers Forum member has discovered that S Memo stores Google user names and passwords in plain text. He happened upon this while he was going through his SQLite files on his Samsung Galaxy S III, and promptly took to the Developers Forum to talk about it. Another user, one ViViDboarder, replied saying that those files can only be viewed if the device is rooted and would otherwise be inaccessible.

So, those who haven't rooted their devices can breathe a sigh of relief, as this is only an issue for those who have rooted their Samsung handset. It seems that rooted users make up a pretty large subset of all Android users though, so there's still plenty of people who could be affected by this security issue. This could potentially lead to root apps gaining access to these files and making off with the information, though ViViDboarder says that would be difficult "without asking for root or cracking root itself."

Be that as it may, this is still a pretty scary discovery. We've always known that there are some security risks that go along with rooting your phone, but this just serves as reinforcement that those who root their device need to tread carefully. That goes for installing root apps too - if you don't check out the app yourself before installing, it could lead to some pretty major headaches.

It's also kind of alarming that S Memo doesn't encrypt this information, but it makes at least some sense if Samsung's expectation is that most users aren't going to root their phones. In any case, it seems like that's the kind of information that should be encrypted, even if it is inaccessible on non-rooted devices. Be sure to have a look at the full thread over at the XDA Developers Forum for more information!

[via Talk Android]


Recent Stories
  • http://twitter.com/robber32 Robb Nice

    If you are a person who roots their phone it pays to deal with developers who removed a lot of the Sammy bloatware, or used ASOP roms.

  • tripper

    Wow, this is a major fail. And it doesn’t matter that this file is inaccessible without root. Gaining root access is what malicious code does and this little file contains a very delicious piece of data that may be targeted by such malicious code. You won’t even notice.

    And I seriously see no reason to store this kind of data in plain text. What this tells me is that the developers behind S Memo are amateurs, that’s what.