lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Aug 2012 00:06:47 -0500
From: Jeffrey Walton <noloader@...il.com>
To: vtalk@...view.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Android HTC Mail insecure password management

Hi vtalk,

What was HTC's response?

What were the results under Android 4.0+ (Ice Cream Sandwich)? Were
you able to test the configuration?

Android 4.0+ offers a Keychain, and applications should be storing
base secrets in the Keychain (pushing the responsibility from
developer to OS).

Jeff

On Sun, Aug 5, 2012 at 2:57 PM,  <vtalk@...view.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Android HTC Mail insecure password management
>
> Classification:
> ===============
> Level: low-[MED]-high-crit
> ID: HEXVIEW*2012*08*05*01
> URL: http://www.hexview.com/docs/20120805-1.txt
>
> Overview:
> =========
> HTC is $9.5B(USD) Taiwanese manufacturer of smartphones and tablets, primarily
> Android-based. HTC's devices account for 5% of the smartphone market and for
> about 15% of all Android devices sold in the US. Most HTC devices come with an
> application called HTC Mail. HexView discovered that HTC Mail insecurely stores
> mailbox credentials.
>
> Affected products:
> ==================
> HTC Mail application, all versions (package: com.htc.android.mail)
>
> Vulnerability Summary:
> ======================
> Android OS comes with a feature called AccountManager that lets applications
> manage user credentials in a more or less secure fashion. HTC Mail instead stores
> usernames and passwords directly in its database obfuscated with a weak, trivial
> to reverse algorithm.
>
> Technical Details:
> ==================
> HTC Mail application stores user credentials in the 'accounts' table in its 'mail.db'
> SQLite database. The table contains usernames, email addresses, hostnames, mailbox
> and SMTP passwords for each mail account configured in the Mail application. All data
> is stored in a plain text except for passwords that are "encrypted" as follows:
> 1. Password characters at odd and even positions are swapped.
> 2. The byteswapped string is base-64 encoded twice.
> 3. The resulting base64-encoded password is stored in the database.
>
> Demonstration:
> ==================
> HexView produced a script for the GameSpector application (available in Google Play)
> that decodes and displays HTC mail passwords. GameSpector requires root access.
>
> Distribution:
> =============
> This document may be freely distributed through any channels as long as
> its content is kept intact. Commercial use of the information in the
> document is not allowed without written permission from HexView.
> Please direct all questions to vtalk@...view.com
>
> About HexView:
> ==============
> HexView is a technology consulting boutique offering a variety of information
> security services, including security assessments of mobile applications.
> For more information visit http://www.hexview.com
>
> Feedback and comments:
> ======================
> Feedback and questions about this disclosure are welcome at vtalk@...view.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAlAezhcACgkQDPV1+KQrDqQW8gCfcT0koImRoJppbUwVkweaoxmG
> xD4Anj4osjlOWR1JmnWbLAwcoeHN0UjJ
> =g+yV
> -----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists