Re: Android HTC Mail insecure password management

[Jeffrey Walton <noloader () gmail com>]

Hi vtalk,

What was HTC's response?

What were the results under Android 4.0+ (Ice Cream Sandwich)? Were
you able to test the configuration?

Android 4.0+ offers a Keychain, and applications should be storing
base secrets in the Keychain (pushing the responsibility from
developer to OS).

Jeff

On Sun, Aug 5, 2012 at 2:57 PM,  <vtalk () hexview com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Android HTC Mail insecure password management
>
> Classification:
> ===============
> Level: low-[MED]-high-crit
> ID: HEXVIEW*2012*08*05*01
> URL: http://www.hexview.com/docs/20120805-1.txt
>
> Overview:
> =========
> HTC is $9.5B(USD) Taiwanese manufacturer of smartphones and tablets, primarily
> Android-based. HTC's devices account for 5% of the smartphone market and for
> about 15% of all Android devices sold in the US. Most HTC devices come with an
> application called HTC Mail. HexView discovered that HTC Mail insecurely stores
> mailbox credentials.
>
> Affected products:
> ==================
> HTC Mail application, all versions (package: com.htc.android.mail)
>
> Vulnerability Summary:
> ======================
> Android OS comes with a feature called AccountManager that lets applications
> manage user credentials in a more or less secure fashion. HTC Mail instead stores
> usernames and passwords directly in its database obfuscated with a weak, trivial
> to reverse algorithm.
>
> Technical Details:
> ==================
> HTC Mail application stores user credentials in the 'accounts' table in its 'mail.db'
> SQLite database. The table contains usernames, email addresses, hostnames, mailbox
> and SMTP passwords for each mail account configured in the Mail application. All data
> is stored in a plain text except for passwords that are "encrypted" as follows:
> 1. Password characters at odd and even positions are swapped.
> 2. The byteswapped string is base-64 encoded twice.
> 3. The resulting base64-encoded password is stored in the database.
>
> Demonstration:
> ==================
> HexView produced a script for the GameSpector application (available in Google Play)
> that decodes and displays HTC mail passwords. GameSpector requires root access.
>
> Distribution:
> =============
> This document may be freely distributed through any channels as long as
> its content is kept intact. Commercial use of the information in the
> document is not allowed without written permission from HexView.
> Please direct all questions to vtalk () hexview com
>
> About HexView:
> ==============
> HexView is a technology consulting boutique offering a variety of information
> security services, including security assessments of mobile applications.
> For more information visit http://www.hexview.com
>
> Feedback and comments:
> ======================
> Feedback and questions about this disclosure are welcome at vtalk () hexview com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAlAezhcACgkQDPV1+KQrDqQW8gCfcT0koImRoJppbUwVkweaoxmG
> xD4Anj4osjlOWR1JmnWbLAwcoeHN0UjJ
> =g+yV
> -----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/