[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Android HTC Mail insecure password management
- To: vtalk@xxxxxxxxxxx
- Subject: Re: [Full-disclosure] Android HTC Mail insecure password management
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Wed, 8 Aug 2012 00:06:47 -0500
Hi vtalk,
What was HTC's response?
What were the results under Android 4.0+ (Ice Cream Sandwich)? Were
you able to test the configuration?
Android 4.0+ offers a Keychain, and applications should be storing
base secrets in the Keychain (pushing the responsibility from
developer to OS).
Jeff
On Sun, Aug 5, 2012 at 2:57 PM, <vtalk@xxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Android HTC Mail insecure password management
>
> Classification:
> ===============
> Level: low-[MED]-high-crit
> ID: HEXVIEW*2012*08*05*01
> URL: http://www.hexview.com/docs/20120805-1.txt
>
> Overview:
> =========
> HTC is $9.5B(USD) Taiwanese manufacturer of smartphones and tablets, primarily
> Android-based. HTC's devices account for 5% of the smartphone market and for
> about 15% of all Android devices sold in the US. Most HTC devices come with an
> application called HTC Mail. HexView discovered that HTC Mail insecurely
> stores
> mailbox credentials.
>
> Affected products:
> ==================
> HTC Mail application, all versions (package: com.htc.android.mail)
>
> Vulnerability Summary:
> ======================
> Android OS comes with a feature called AccountManager that lets applications
> manage user credentials in a more or less secure fashion. HTC Mail instead
> stores
> usernames and passwords directly in its database obfuscated with a weak,
> trivial
> to reverse algorithm.
>
> Technical Details:
> ==================
> HTC Mail application stores user credentials in the 'accounts' table in its
> 'mail.db'
> SQLite database. The table contains usernames, email addresses, hostnames,
> mailbox
> and SMTP passwords for each mail account configured in the Mail application.
> All data
> is stored in a plain text except for passwords that are "encrypted" as
> follows:
> 1. Password characters at odd and even positions are swapped.
> 2. The byteswapped string is base-64 encoded twice.
> 3. The resulting base64-encoded password is stored in the database.
>
> Demonstration:
> ==================
> HexView produced a script for the GameSpector application (available in
> Google Play)
> that decodes and displays HTC mail passwords. GameSpector requires root
> access.
>
> Distribution:
> =============
> This document may be freely distributed through any channels as long as
> its content is kept intact. Commercial use of the information in the
> document is not allowed without written permission from HexView.
> Please direct all questions to vtalk@xxxxxxxxxxx
>
> About HexView:
> ==============
> HexView is a technology consulting boutique offering a variety of information
> security services, including security assessments of mobile applications.
> For more information visit http://www.hexview.com
>
> Feedback and comments:
> ======================
> Feedback and questions about this disclosure are welcome at vtalk@xxxxxxxxxxx
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAlAezhcACgkQDPV1+KQrDqQW8gCfcT0koImRoJppbUwVkweaoxmG
> xD4Anj4osjlOWR1JmnWbLAwcoeHN0UjJ
> =g+yV
> -----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/