Why password is not encrypted?

[vivekiyer]

From grk...@gmail.com on August 16, 2011 03:44:21

I browsed the preferences.xml file and found that my password is stored without encryption. Is there any way we can encrypt the password before storing in the device?

Thanks for the free app Ramakrishnan

Original issue: http://code.google.com/p/corporateaddressbook/issues/detail?id=68

[vivekiyer]

From viveki...@gmail.com on August 23, 2011 16:15:05

Hi Ramakrishnan

Thank you for your message and using my app. I do know that the preferences are saved on the device in the clear. It is possible that according to the Android design this "might" be ok - see this comment (stolen from Stackoverflow - http://stackoverflow.com/questions/6355003/android-encrypt-password )

----Now, on to the secureness of storing the password (what follows is valid for both storing the password in SharedPreferences and in AccountManager). As long as the device on which your application is running is not rooted, it is completely secure. No other app but yours can read the password. You can't even read the password if you connect the phone to a PC using a USB cable and use adb pull to try and get the respective file. ----However, if the phone is rooted, any app that gets root access can read the password. Also, adb pull works, and you can get to the password in seconds.

Now given this I have two options

• Encrypt the password before storing it in the preferences file. But given that my app is open source, not sure if this even makes sense, since all someone has to do is lookup the source code and they can find out the key that is used to encrypt the password. Also note that on a rooted phone, someone could very easily access ALL the passwords that are stored in the AccountManager (provided the phone is rooted) - see http://security-n-tech.blogspot.com/2011/01/security-issue-exposed-by-android.html - Use the account manager to store the password. I might end up going down this route, since almost all applications seem to trust the AccountManager with their passwords (though it is not secure in a rooted phone).

Do let me know your thoughts.

Regards Vivek

[vivekiyer]

From grk...@gmail.com on August 24, 2011 03:25:11

Hi Vivek, Thanks a lot for your detailed reply. Now My worry about security has increased as I'm using many apps which need root permission. Though I'm not an android developer, I have few suggesstion. Is it possible to have an encryption key which is dynamic? The program should choose the key based on some unique device property like IMEI number or UID.

Correct me if I am wrong.

-Ramakrishnan