lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8msnivWOhksj_gcfR=5MZqdfMFTgp_x+3j2VjT7DOv1vA@mail.gmail.com> Date: Wed, 8 Aug 2012 00:06:47 -0500 From: Jeffrey Walton <noloader@...il.com> To: vtalk@...view.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Android HTC Mail insecure password management Hi vtalk, What was HTC's response? What were the results under Android 4.0+ (Ice Cream Sandwich)? Were you able to test the configuration? Android 4.0+ offers a Keychain, and applications should be storing base secrets in the Keychain (pushing the responsibility from developer to OS). Jeff On Sun, Aug 5, 2012 at 2:57 PM, <vtalk@...view.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Android HTC Mail insecure password management > > Classification: > =============== > Level: low-[MED]-high-crit > ID: HEXVIEW*2012*08*05*01 > URL: http://www.hexview.com/docs/20120805-1.txt > > Overview: > ========= > HTC is $9.5B(USD) Taiwanese manufacturer of smartphones and tablets, primarily > Android-based. HTC's devices account for 5% of the smartphone market and for > about 15% of all Android devices sold in the US. Most HTC devices come with an > application called HTC Mail. HexView discovered that HTC Mail insecurely stores > mailbox credentials. > > Affected products: > ================== > HTC Mail application, all versions (package: com.htc.android.mail) > > Vulnerability Summary: > ====================== > Android OS comes with a feature called AccountManager that lets applications > manage user credentials in a more or less secure fashion. HTC Mail instead stores > usernames and passwords directly in its database obfuscated with a weak, trivial > to reverse algorithm. > > Technical Details: > ================== > HTC Mail application stores user credentials in the 'accounts' table in its 'mail.db' > SQLite database. The table contains usernames, email addresses, hostnames, mailbox > and SMTP passwords for each mail account configured in the Mail application. All data > is stored in a plain text except for passwords that are "encrypted" as follows: > 1. Password characters at odd and even positions are swapped. > 2. The byteswapped string is base-64 encoded twice. > 3. The resulting base64-encoded password is stored in the database. > > Demonstration: > ================== > HexView produced a script for the GameSpector application (available in Google Play) > that decodes and displays HTC mail passwords. GameSpector requires root access. > > Distribution: > ============= > This document may be freely distributed through any channels as long as > its content is kept intact. Commercial use of the information in the > document is not allowed without written permission from HexView. > Please direct all questions to vtalk@...view.com > > About HexView: > ============== > HexView is a technology consulting boutique offering a variety of information > security services, including security assessments of mobile applications. > For more information visit http://www.hexview.com > > Feedback and comments: > ====================== > Feedback and questions about this disclosure are welcome at vtalk@...view.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAlAezhcACgkQDPV1+KQrDqQW8gCfcT0koImRoJppbUwVkweaoxmG > xD4Anj4osjlOWR1JmnWbLAwcoeHN0UjJ > =g+yV > -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists