5,599,677 Members 46,210 Now Online
XDA Developers Android and Mobile Development Forum

Potential Security Issue with S-Memo and JB

Tip us?
 
graffixnyc
Old
#1  
graffixnyc's Avatar
Forum Moderator / Recognized Developer - OP
Thanks Meter 4037
Posts: 5,256
Join Date: Jan 2011
Location: New York City

 
DONATE TO ME
Default Potential Security Issue with S-Memo and JB

I was poking around my GS3 today (ATT version but running the Sprint Official JB release LJ7) and I found something pretty shocking. I was poking around the S-memo databases when I opened a table using SQLIte editior. When I opened the table I was shocked to see my Google account username and password in clear plain text. Now, I did have the option to sync to Google drive and the app did prompt for my google username and password so obviously it stores it somewhere. I was just shocked to see it stored in plain text and not encrypted.

I know someone who checked his ATT GS3 running ICS and he did not have these entries in his DB which makes me think it's a JB thing.

To check you need to be rooted and have SQLite editor installed.

Steps to check
1. Set up S-Memo to sync with your Google account
2. Use SQLite editor and navigate to /data/data/com.sec.android.provider.smemo/databases
3. Open the Pen_memo.db file and select the CommonSettings table. Look to see if your Google account info is stored in plain text.

This could potentially be a serious issue. If people running JB on their GS3 can check this that would be awesome. Someone already checked the latest ICS build for the ATT variant but if others on ICS or with a different variant can check that would be great. I will get to check my GF's I-9300 running JB tomorrow when I see her.

Also I'm not sure how app permissions work on android, meaning if one app could access the data/database of another app(without root, because obviously with root another app can, in this case SQLite opened the file). Since the DB is in the /data partition and the permissions are r/w by default I'm thinking it wouldn't be difficult for a malicious non root app to access this database and query it for the information unless there is something built into android that wont allow that.

I have attached a SS of what my table looked like. Obviously I blacked out my PW and also the Google auth ID


One day some of the kids from the neighborhood carried my mother's groceries all the way home. You know why? It was outta respect." -Henry Hill

Devices:
 


Google Glass

Current Phones:
HTC One M8 Gray 32GB + 64GB SD
HTC One M7 Silver 64GB

Current Tablets:
Sony Z Ultra GPe (Phone but use as a tablet)
Samsung Galaxy Note 10.1 2014 Edition 32gb


All new members should watch this:
http://www.youtube.com/watch?v=JmvCpR45LKA


Follow me on twitter! http://www.twitter.com/graffixnyc

G+: http://gplus.to/graffixnyc
The Following 5 Users Say Thank You to graffixnyc For This Useful Post: [ Click to Expand ]
 
ViViDboarder
Old
#2  
ViViDboarder's Avatar
Recognized Developer
Thanks Meter 616
Posts: 1,558
Join Date: Mar 2010
Location: San Francisco, CA

 
DONATE TO ME
Actually, while /data is available for you to browse, that is because you have root. It's RW but only within the packages that each app is sandboxed. If you disable root you will not be able to view that database.

It is possible for the same developer to access the /data files of another one of their apps if they use the same namespace.

So, while this is indeed a risk, it would not be trivial for another app to gain access without asking for root or cracking root itself.

Favorite Quotes: Emulators | Crysis

Nexus 7
Nexus 4 (CM10.2)
HTC One S (CM10) SOLD
Google Nexus One (CM7)
Touchpad (WebOS/CM9 with twrp 2) SOLD
ASUS Eee Pad Transformer (CM9) SOLD
EVO 3D (Mynz/CM9 + twrp 2) SOLD
EVO 4G (CM 7 + twrp 2) SOLD
iPhone 3G (whited00r) SOLD

Twitter | UbuntuForums Profile | MacRumors Forums | WinMatrix Profile

The Following 4 Users Say Thank You to ViViDboarder For This Useful Post: [ Click to Expand ]
 
graffixnyc
Old
#3  
graffixnyc's Avatar
Forum Moderator / Recognized Developer - OP
Thanks Meter 4037
Posts: 5,256
Join Date: Jan 2011
Location: New York City

 
DONATE TO ME
Quote:
Originally Posted by ViViDboarder View Post
Actually, while /data is available for you to browse, that is because you have root. It's RW but only within the packages that each app is sandboxed. If you disable root you will not be able to view that database.

It is possible for the same developer to access the /data files of another one of their apps if they use the same namespace.

So, while this is indeed a risk, it would not be trivial for another app to gain access without asking for root or cracking root itself.
Ahh OK. Yeah I wasn't sure if another app would be able or not. Ive never not been rooted so I wasnt 100% sure about that. So I guess this issue would just concern root users. I still think though the data should have been encrypted before the record was inserted. It did kinda freak me out to open that table and see my google password staring at me.

One day some of the kids from the neighborhood carried my mother's groceries all the way home. You know why? It was outta respect." -Henry Hill

Devices:
 


Google Glass

Current Phones:
HTC One M8 Gray 32GB + 64GB SD
HTC One M7 Silver 64GB

Current Tablets:
Sony Z Ultra GPe (Phone but use as a tablet)
Samsung Galaxy Note 10.1 2014 Edition 32gb


All new members should watch this:
http://www.youtube.com/watch?v=JmvCpR45LKA


Follow me on twitter! http://www.twitter.com/graffixnyc

G+: http://gplus.to/graffixnyc
 
WhatRobEats
Old
#4  
Junior Member
Thanks Meter 0
Posts: 4
Join Date: Nov 2012
I don't use S-Memo much but thanks for the heads up.
 
csmasn
Old
#5  
Senior Member
Thanks Meter 211
Posts: 668
Join Date: Sep 2011

 
DONATE TO ME
Quote:
Originally Posted by ViViDboarder View Post
Actually, while /data is available for you to browse, that is because you have root. It's RW but only within the packages that each app is sandboxed. If you disable root you will not be able to view that database.

It is possible for the same developer to access the /data files of another one of their apps if they use the same namespace.

So, while this is indeed a risk, it would not be trivial for another app to gain access without asking for root or cracking root itself.
There are on Play and on the net "free apps" which needs root access to work. Once you grant access to any of them those can get your info and sent it to anyplace.

Sent from my O=O
Device:Sprint Galaxy S3
ROM: M.O.A.R. 9.0.0
Kernel: dkp 02/25
Mods: moar than needed
Completely disabled: power button.
 
Jarmezrocks
Old
#6  
Jarmezrocks's Avatar
Senior Member
Thanks Meter 379
Posts: 833
Join Date: Mar 2011
Location: Gold Coast

 
DONATE TO ME
Quote:
Originally Posted by csmasn View Post
There are on Play and on the net "free apps" which needs root access to work. Once you grant access to any of them those can get your info and sent it to anyplace.

Sent from my O=O
Agreed but that is why you should be checking carefully what root apps are doing. Also not just willy-nilly granting Superuser permissions. Half of XDA would be at risk cause they see the SuperUser popup and most of the time just press grant not ever thinking 'What does that mean?' yes they want to test an app, but FFS check what it wants to do. That is the screen that pops up (another one people ignore - yes I am guilty of it my self sometimes thinking nothing has changed between one version to the next) just as you are installing the app. If it is wanting to do things in areas you don't want it to be then don't install it and confront the developer about it.

In this case you can't really confront Samsung devs about this, but the thing is we know what it is for, and secondly your not installing it comes pre-installed. But you get my point. I doubt that the Samsung devs have malicious intensions, where as other developers that your are granting SuperUser permissions to...who knows?

help find a cure for Narcolepsy
donations to this cause do not come directly to me, they are
anonymous but please tell me so I can give you thanks
 
jcase
Old
#7  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor
Thanks Meter 5457
Posts: 3,088
Join Date: Feb 2010
Location: Sequim WA

 
DONATE TO ME
Yikes! Good news, this is not as bad as it seems. The data is not accessible without root.

Once an app has root, it is all over. You have to trust the app to use it wisely (trust me a lot of root apps are unsafe). With this kind of issue, it is probably safer to notify the OEM before publishing, allowing them time to fix it. This is exactly why I am not one to run root apps without a review of them myself.

I took the liberty to forward this on to those that can get it fixed. Nice find.
I find bugs and write exploits, I don't provide tech support via email or PM. You not having root != my concern, serious please don't email me about it.

Something important? jcase@cunninglogic.com
Like Android security topics? Join our G+ community -> https://plus.google.com/communities/...07618051049043
My Bitcoin address : 1Newifz6yETTmbziCsZZstmHHPH6ejNr75
 
pulser_g2
Old
#8  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10594
Posts: 19,214
Join Date: Nov 2009
This should probably use a token-based authentication system, rather than the ACTUAL google account username and password...

Still not brilliant for security, but at least it's not your ACTUAL password in plaintext...


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
The Following User Says Thank You to pulser_g2 For This Useful Post: [ Click to Expand ]
 
csmasn
Old
#9  
Senior Member
Thanks Meter 211
Posts: 668
Join Date: Sep 2011

 
DONATE TO ME
Quote:
Originally Posted by Jarmezrocks View Post
Agreed but that is why you should be checking carefully what root apps are doing. Also not just willy-nilly granting Superuser permissions. Half of XDA would be at risk cause they see the SuperUser popup and most of the time just press grant not ever thinking 'What does that mean?' yes they want to test an app, but FFS check what it wants to do. That is the screen that pops up (another one people ignore - yes I am guilty of it my self sometimes thinking nothing has changed between one version to the next) just as you are installing the app. If it is wanting to do things in areas you don't want it to be then don't install it and confront the developer about it.

In this case you can't really confront Samsung devs about this, but the thing is we know what it is for, and secondly your not installing it comes pre-installed. But you get my point. I doubt that the Samsung devs have malicious intensions, where as other developers that your are granting SuperUser permissions to...who knows?
Agreed with you.

But about Google's Devs, because it's a Google's flaw. Encryption is old enough, so they can implement it.

Sent from my O=O
Device:Sprint Galaxy S3
ROM: M.O.A.R. 9.0.0
Kernel: dkp 02/25
Mods: moar than needed
Completely disabled: power button.
 
mkasick
Old
#10  
Recognized Developer
Thanks Meter 823
Posts: 470
Join Date: Aug 2009
Quote:
Originally Posted by graffixnyc View Post
I was just shocked to see it stored in plain text and not encrypted.
Suppose they were to encrypt it, where would they store the decryption key?

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Keep Track of Everything Your Device Does with Event Logger

Regardless of their OS choice, computing power users generally share one common … more

A More Competitive Spin on the Addictive 2048 Puzzle

You may recall that a few weeks ago, we talked about a rather interesting take on … more

Multiboot in Progress for the Sony Xperia Z1

As we’ve mentioned quite a few times in the past, multiboot is quite the interesting … more

Samsung EFS Tool Updated to V5, Brings Universal Device Support

You may recall that we’ve talked about XDA Recognized Contributor … more