Information Security

How is password information stored and used on Android accounts?


How difficult would it be for someone who stole your device to gain access to the username and password information stored under the Settings -> More -> Accounts section of an Android device?

On Linux shadow passwords are stored as hashes but these are only used to check inputs (they are never transmitted over the network). I wonder how Android implements account security here (perhaps special hardware supporting accounts and passwords)?




Solution

Android uses AccountManager to store the passwords. By rooting a phone you can access the encrypted store. What happends now depends on the password you use to lock your phone (from which is derived the encryption key for the store).

As you can imagine, a 4 digits PIN is not going to resist long. A fingerprint (or other mechanism with large entropy) will not be cracked.





Comments (2)

  • +0 – So, is there an app which will work on rooted phones which will display the text-based passwords (when text-based passwords are used), that will reveal the Google, Facebook, Twitter, Gmail, Samsung, etc... passwords? Where can I find such an app? Thanks. — Jun 06, 2015 at 16:35  
  • +0 – @JohnHigginstyne: I do no tknow of such an app but please keep in mind that few service passwords are nowadays stored in a keychain. The services you mention (except for Samsung) all use oAuth which does not store any passwords, just an authentication token. The keystore is interesting for authentication mechanisms related to your phone (the PIN for instance, or the fingerprint digest) — Jun 07, 2015 at 14:53  


External Links

External links referenced by this document: