Passwords stored in plaintext in com.prey_references.xml

[dequis]

The preferences PREFS_ADMIN_DEVICE_REVOKED_PASSWORD, PASSWORD, UNLOCK_PASS store passwords in plaintext. Please encrypt these, using one-way hashes like sha1 if possible. Particularly, the file seems to contain enough information to log in to my prey account. And if someone uses the same password for prey.com as the email they use to log in, that email address is right there too.

This file can probably be opened by root only, but root access on an android device is usually a matter of selecting "allow" - or not doing anything at all if the app was used before. So basically, anyone smart enough who steals my phone could avoid changing the SIM card (so prey doesn't activate itself), read that file, get the password, and detach prey / uninstall it / take over my prey account. Fun.

(Of course this previous argument isn't very valid since root access with no auth also lets you remove prey with a rm and maybe a kill. Or factory reset right after stealing it, no root or passwords required. The fact that it's trivial to identify that a phone runs prey annoys me too. But I digress, this ticket isn't meant to cover all of my paranoia sources.)

[ghost]

Hi, @dequis. Thanks a lot for reporting this and sorry for taking so long. We finally fixed the issue. We're uploading the new APK to Google Play on Monday.

[dequis]

Haha what I didn't even remember this. I'm not even sure if i still have prey after changing ROMs a few times.

Also my suggestion of using sha1 was terrible, but I see you solved it by... not storing it at all? What's going on there?

[ghost]

@dequis We save your account's API key, so validation is always made against the Prey servers. There's no need to store any other sensitive data, really. And even if others knew your API key, there's nothing much they can do with that.