I would be really pleased if someone could give me a technical description (a cryptographic one) about how ANDROID stores the user´s private passwords. I mean, how are they are encrypted (if it does)? ¿using what algorithms and keys?
The reason is easy to understand. A normal user gives it´s phone 2 types of passwords that should be protected:
1.- One, is the Google´s main password used by the phone to sync (GMail, Calendar, etc)
2.- The second are the passwords that have been marked in the ANDROID´s browser as: "remembered"
Isn´t hard to imagine a situation in what you phone becames lost and it arrives at hands of someone that (before formatting it) wants to take advantadge or obtain all the phone´s stored passwords.
In fact, reading the internal file system or the SD one, must be almost trivial, and from there obtaining the passwords. ¿How does ANDROID protects the user against it?
Related
Hello All,
My friend is planning on getting an Android phone. This will be his first Android phone as he mostly sticks with one platform for a long long time.
His current phone is an old palm device.
He's very serious about security and has a few other questions as well, which i pasted down below. I am not as experienced in this stuff, so I hope some of your could help. Thanks.
Security
When you lock out the handset, what happens to the raw data? Is the data overwritten or is only the file system wiped?
Right now my handset keeps the files that I don't use all of the time in an encrypted format. If I need to access a client file, I have to enter a password that decrypts the file. It takes some time, but this way if I loose my handset in a taxi it's only my cash that's gone & not my credibility as a professional. If I choose to remotely wipe my handset, random data is entered across the entire memory device, not only the file system, making most data recovery tools irrelevant.
Automated calling card apps
1) I buy a calling card from 7-11 to make long distance calls (not a SIM)
2) I put the phone number & password into my handset
3) When I dial a non-Hong Kong number it calls the calling card number instead & puts in the password for me
This saves me a wack of dough, especially when calling to China.
Would this work on Android?
Calendars
Are the calendars color coded? (Stupid Q, but iPhone can't do it)
ex) Work = Red, Personal = Blue
Syncing
If I sync through the cloud is the data all raw? Can anyone just look through my contacts up as easy as they can look through my email? I've found a way to avoid the cloud with contacts, but I'd use the Cloud if all the data is encrypted on each end.
Password Management
I've been using an encrypted password manager for years now. I have a desktop client and a handset client that sync across the cable. Any changes on one are reflected in the other, but it be locked up and secure.
Hope some professional Android users here could help answer some of these questions.
Thanks.
CrazyDelta said:
Calendars
Are the calendars color coded? (Stupid Q, but iPhone can't do it)
ex) Work = Red, Personal = Blue
Click to expand...
Click to collapse
Yes. Every 'account' you add will be given a different calendar colour by the HTC Stock widget. Eg. Work - Red / GMail - Blue / Facebook - Green etc.
Time to "double wrap" the hat with tin foil...
New Forensics Tool Can Slurp a Phone’s Data via the Cloud
The police don't even need to touch your phone anymore to know how you've been using it. A new off-the-shelf forensics tool lets cops retrieve all the data they want from your iPhone by accessing its contents through iCloud.
The software, developed by ElcomSoft, lets investigators retrieve user data associated with iPhones from Apple's iCloud online backup service, reports The Register. There's a thorough descripton of how the technology works on ElcomSoft's website, but from The Register:
"iCloud backups offer a near real-time copy of information stored on iPhones including emails, call logs, text messages and website visits. iCloud backups are incremental. When set up to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within reach of a Wi-Fi access point.
"'While other methods require the presence of the actual iPhone device being analyzed or at least an access to device backups this is not the case with iCloud,' ElcomSoft chief exec Vladimir Katalov explained. 'With a valid Apple ID and a password, investigators can not only retrieve backups to seized devices, but access that information in real-time while the phone is still in the hands of a suspect.'"
Of course, the solution does require access to the Apple ID and password of the person who's being snooped on and they might not be easy to obtain. But, once those details are in place, the data can be swiftly downloaded, unencrypted. Nice. [ElcomSoft via The Register]
Interesting. I suppose something like this could happen with Google eventually as well, but the only thing that I ever backup are contacts. There was a story posted recently about the FBI issuing a warrant to Google to get access to a pimp's phone because they couldn't crack his unlock pattern.
http://arstechnica.com/tech-policy/...droids-pattern-lock-serves-warrant-on-google/
Even with this, they can only get a limited amount of his data. Google only allows for syncing of Contacts, Calendar, and Gmail, so if he doesn't use it as a main source for data or have his other email linked too it they still won't gain much info. Not sure why the warrant asks for texts because last I checked even Wireless providers only keep logs of numbers texted, not the messages themselves, correct?
Anyway, while this doesn't seem an issue as it requires a warrant, as you said if someone got access to an AppleID and password for malicious purposes it's open season.
Hello to ALL!
After almost 2 years since the first Symbian release, I have ported my application,Mobile StrongBOX, to Android (finaly ).
It is available on Google Play, but since I'm new on this forum I ca not post the link to it. The best way to find it is to search for "strongbox" in Google Play.
Mobile StrongBOX is designed for the secure storage of private information, such as photos or videos, passwords, data for bank accounts, documents and anything else you want to protect. The application uses a strong public-key crypto-system that is optimized for mobile phones.
Today we take our phones everywhere we go and we can have our private data with us. Take, for example, private photos: we all have them on our phones, but in case we lose our phone we are in trouble because someone else can view our private photos! The same problem is for any private data that we store on our devices like passwords, bank account information, private documents etc. Mobile StrongBOX is designed to solve this problem, it offers protection so we do not fear any more to take our private data with us.
Encryption is the best type of data protection. There are many solutions that in case of stolen phone allow you to wipe the data on the device, BUT from the point when you lose your phone until you realize that, it can be too late!
Mobile StrongBOX uses strong 256-bit AES (Advanced Encryption Standard) encryption for data and 1024-bit RSA encryption for keys. Any kind of information can be secured with Mobile StrongBOX. It does protect your data, but also helps you if you have many things to memorize like passwords and credit card PINs. With Mobile StrongBOX you will not have to worry about these things any more!
Storing passwords, PINs, credit card numbers, membership info, login credentials etc. is now very easy and safe. Photos, videos, documents and folders can also be added to strongbox, keeping the hierarchical structure of folders (for example you can encrypt your private photos and videos so no one else can view them).
Key features and advantages over similar apps:
- very strong encryption: 256 AES + 1024 RSA
- not only encrypts items like passwords but files like private documents and photos/videos, too.
- every file or item is encrypted with different a AES key, automatically generated.
- customizable templates: add/remove/rename fields, you can change icons, add your own templates.
- multiple files or folders import(encrypt) / export(decrypt) in one operation.
- you can create sub-folders and group files/items however you like.
- no export needed to view files, view them directly from the app.
- secure erasing of imported files, if you want to.
- search, auto-lock, trash
- you can have multiple strongboxes and switch between them.
- does not contain ads, does not have INTERNET permission
With Mobile StrongBOX you have your private information encrypted in your pocket anywhere, ON-THE-GO.
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
sejtam said:
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
Click to expand...
Click to collapse
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
pulser_g2 said:
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
Click to expand...
Click to collapse
Not much more that I already said. I am a long-time user of their SplashID (Mac) Desktop and Android app to store all my credit card, bank acount and yes, many systems passwords in.
The database they use is encrypted with a 'master password' which one has to enter on ones' Android (or iPhone, etc) or Desktop everytime to
unlock and decrypt (in memory), so that one access the data.
The same password is used on both the mobile and desktop of course.
A few days ago, an upgrade to SplashID v7 was made available on the Google Play store. I don't allow 'automatic' updates (though I am sure a lot of folks do!), but this time I also did not really check what the upgrade offered, and clicked 'UPDGRADE ALL' when it was offered along with a nunber of other upgrades. So it got installed.
When i subsequently opened SplashID again, it told me about all the shiny new features (cloud sync etc) and as normal asked me for my password (it also asked for my email address. I though that this was for them to check my purchase/license ans what features woudl be enabled)..
I thought that it would then show me my data. But wrong. Instead it offered me a selection whether I want to use the new 'cloud sync' feature (30 day free trial, later for $$), or stay with the normal 'wifi sync'.
I opeted for the latter (because I don't trust having my data sent to the cloud).
Anyway, the next thing I get is a message: (paraphrasing) "we have created your cloud account, you will get an email and will have to verify your email). Sure enough, I get an email:
Thank you for signing up for SplashID Safe Personal Edition!
To activate your account, please verify your email address by clicking the link below: Verify Email
Then check your email for our SplashID Safe Welcome message.{/QUOTE]
The link goes to: https://www.splashid.com/personal/webclient/login.php
I had to again ther enter my email address, and *the same password* that I entered before (which I thought would be for my private data-store).
Yes, that same password was used to create my account on their cloud server, even though I opted for the Wifi Sync *only* and never
asked for a cloud-sync.
Nor did the app tell me that the same password would be used to secure that aco****.
The issues with this are self-evident:
a) my most secure password, the one used to secure my data on my mobile and on my desktop is now 'leaked' to their cloud account
b) I have *no* idea how secuerly that password was transferred (in clear, encrypted, just a hash), nor how securely it is stored
c) it clearly is linked to my cloud-account on their website, so
- someone somehow learning that password could 'verify' it by accessing that account
- if someone hacked their system and accessed their database, that link would be apparent to them
d) I have nost *all control* over securing that password myself. It is 'burnt', 'in the wild'
e) Any pass backups of my secure SplashID database that may live on SD cards of mine, on backup disks, which may have
been copied to the cloud (dropbox, others) are now vulnerable. It is no use for me to change this password here now, as
old copies that may still exist somewhere are still encrypted with this password (and I cannot change them back).
Yes, I am trying to limit exposure for that password data file as much as possible, but eg Titatium Backup may have at some point in teh past backed it up and copied a backup to the cloud (yes, that is also encrypted, but once that featire failed).
More that that, of course users who are not as security conscious may have opeted for 'could sync'.
While I have not tried this feature myself, it sounds to me like thsi does copy the teh data to SplashID's cloud and
there secures it too only with that one single password.
So many users wh may not have thought all this out may have opted for the 'CloudSync' trial, and not only have their
password 'leaked'/'burnt' now, but also have all their data in the cloud, again secured only with a password that is no longer in their sole possession.
In fact, any secure, trustworthy system would have
a) been *very* upfront about what they are going to do with the password and the cloud account
b) used a separate password to secure the cloud account
c) only stored my encrypted copy of the database in their cloud, without *them* having the password for it
d) done any syncing on the client (ie, transfer the complerte encrypted password to the mobile or desktop where the comparisonupdates would happen) and then copied back again a secured file, that was encrypted on the mobile).
Click to expand...
Click to collapse
More discussion on SplashID's own site: http://forum.splashdata.com/showthr...ically-send-in-background-to-splash-id-server
I am looking for a secure & simple method to keep sensitive data on my phone that will survive wipes/rom flashes. I used to keep a password list in my Google Docs, but I misplaced my tablet at work (fortunately a coworker locked it up until I could retrieve it), so I nuked that idea.
I tried mSecure and spent half an hour saving all my personal info, and lost it the next time I flashed a rom (I also keep the info on my desktop computer, so no big deal). Maybe mSecure has an option to keep an encrypted file on external memory, I didn't play with it enough to see.
Cloud services are ok I suppose, but I really prefer having the info on the phone itself, for those rare times I don't have a data connection but need access to passwords, etc.
Some people use a method of encrypting/decrypting files on their device. That sounds pretty ideal to me ― just decrypt it when needed and encrypt when done. If you lose the device, hopefully the encryption is strong enough to prevent anyone from stealing your info.
How do YOU manage sensitive data?
KeePassDroid for passwords. You can sync database to cloud if you want. PC comatibile.
EDS Lite for data, it's truecrypt container compatibile(in specific settings), so you can mount it also on PC.
Use TrueCrypt on a PC to create a container sync'd to DropBox (or similar), but pay attention to the settings to make it accessible on Android using EDS Lite.
Sync the encrypted container Android device using DropBox/Dropsync.
Use EDS lite on Android to access the sensitive data, when needed.
Use some kind of backup system (e.g. CrashPlan) to back up the DropBox folder, just in case the secure container gets deleted on a device and the deletion gets mirrored by DropBox. (You can normally recover deleted files on DropBox, but there may be a one month limit for free accounts, and it's best to have a secondary backup system, just in case!).