Potential Security Issue with S-Memo and JB
I was poking around my GS3 today (ATT version but running the Sprint Official JB release LJ7) and I found something pretty shocking. I was poking around the S-memo databases when I opened a table using SQLIte editior. When I opened the table I was shocked to see my Google account username and password in clear plain text. Now, I did have the option to sync to Google drive and the app did prompt for my google username and password so obviously it stores it somewhere. I was just shocked to see it stored in plain text and not encrypted.
I know someone who checked his ATT GS3 running ICS and he did not have these entries in his DB which makes me think it's a JB thing.
To check you need to be rooted and have SQLite editor installed.
Steps to check
1. Set up S-Memo to sync with your Google account
2. Use SQLite editor and navigate to /data/data/com.sec.android.provider.smemo/databases
3. Open the Pen_memo.db file and select the CommonSettings table. Look to see if your Google account info is stored in plain text.
This could potentially be a serious issue. If people running JB on their GS3 can check this that would be awesome. Someone already checked the latest ICS build for the ATT variant but if others on ICS or with a different variant can check that would be great. I will get to check my GF's I-9300 running JB tomorrow when I see her.
Also I'm not sure how app permissions work on android, meaning if one app could access the data/database of another app(without root, because obviously with root another app can, in this case SQLite opened the file). Since the DB is in the /data partition and the permissions are r/w by default I'm thinking it wouldn't be difficult for a malicious non root app to access this database and query it for the information unless there is something built into android that wont allow that.
I have attached a SS of what my table looked like. Obviously I blacked out my PW and also the Google auth ID