Weekly Edition
Return to the Security page
| |||||||||||||
Password storage on Android devicesA number of Android device owners are upset to learn that their trusty products store sensitive credentials — such as email account passwords — in plain text. The bug tracker entry has amassed an impressive number of votes, but as the attached discussion reveals, any proposed solution butts up against consumers' conflicting expectations — such as that the device continue to check for messages as long as it is turned on, yet never inconvenience the user by demanding a password. The root of the trouble is that POP, SMTP, IMAP, and other email protocols may require the client to provide the account password on every connection attempt. Thus, in order for the phone to check email silently in the background, the OS must have access to the password in plaintext. Google's default email application does just this, storing account passwords in the clear inside a SQLite database. Google's Gmail-specific client application, which uses a different, token-based authentication protocol, does not require the password on each connection, but the token itself may serve just as well. Discovery of that password "flaw" spawned a tremendous public outcry in the comments section of Android bug #10809. Of course, Android is not alone in this regard. Apple's iOS and other mobile platforms also store passwords on the device in plain text, and a client application on any other computing platform faces the same challenge: Thunderbird, PINE, Evolution, KMail, etc. — even IM clients — all send the account password to the server when left running unattended. Consequently, they must either store the password in plain text, ask for it on every connection attempt, or encrypt it and require the user to enter a different passphrase to unlock the storage location. Analyzing the problemThe difference is that mobile phone users are unaccustomed to logging into their phones with a username and password, and even if they do, they tend to leave their phones on (and thus leave themselves "logged in") 24 hours a day. A password store decrypted at login time would be readily available to a pickpocket, even if it is stored securely when the phone is deactivated. The pickpocket attack reveals another challenge to mobile password security: there is a difference between security measures that protect user credentials on "disk" when the phone is off, and measures that protect the credentials during an active session. Android will be implementing its own form of full-disk encryption with 3.0 ("Honeycomb"), which will offer protection against extracting information from the flash storage card. But this will not help any users on earlier versions of Android, nor does it protect against attackers who steal running phones. Google cannot force third-party application developers to store passwords wisely, but many commenters on bug 10809 feel that the company ought to provide a more secure option for the set of default Android applications. The discussions on the bug tracker and on external sites like Android Central make for interesting reading. Some suggested encrypting (or obfuscating) the password file itself, and storing the key to that file elsewhere, such as on a "keychain" stored on the device. But as Android developer Andy Stadler pointed out, this does not improve security, it only moves the weak link to a different file. The password safe must be decrypted for the application to use it, which means the password to the password safe must itself be stored in plain text for unattended access. As he put it, there is "a simple test: if you can boot up the device and it will begin receiving email on your configured accounts, then the passwords are not truly secure. They are either obfuscated, or encrypted with another key stored somewhere else." Others suggested not storing the passwords locally at all, but storing only a hash of the password instead. This approach does not work either, as user hyperhacker noted, because hash functions are one-way, and the original password is what must be sent to the server. Thus in practice either the user will be prompted for the password to validate the hash value (in which case the stored hash is clearly useless), or else the "hash" function is actually an encryption function, and the scheme is no different from the other encrypt-the-password-file proposals mentioned above. Inconvenient securityThe "executive summary" of the situation is that either the OS has access to a password in plaintext without user intervention, or else the user must be prompted to supply a password that is stored nowhere on the device. The real question is how much inconvenience the user will tolerate. A scheme that asks the user for a boot-time passphrase to unlock a password safe is not very secure because of how long phone sessions typically last. As user mahashel put it in a related bug report:
The trick with phones is that they are powered on for great lengths of
time. Once the User logs into the device the filesystem is
visible/decrypted, and it remains that way until powered down. How may
people power down their phones before they lose them? ;)
One alternative would be to re-prompt the user for a passphrase whenever the device is awakened from an idle or sleep state. User aigarius argued that this would prevent the device from checking email in the background. "If you 'tie' it to the unlock code, then you can only check the email when the phone is unlocked, which is clearly quite useless." This is not true in the strictest sense: the OS could "forget" the password only when the user begins the unlock procedure — that way the background process could continue to check messages and activate alerts, and a pickpocket would still be locked out — but it still requires the user to enter a passphrase, PIN code, gesture, or some other form of credential every time he or she picks up the phone to do anything. That level of inconvenience seems to be anathema to most consumers. User solinym suggested biometrics might be better received among consumers than passwords, with a caveat: "If you think key rotation is a PITA, you haven't tried replacing your fingerprints." He also raised the question of hardware security, tamper-resistance in particular, suggesting that the hardware required to prevent hardware key-extraction would add little to the cost of modern smartphones. Gertvdb suggested storing a "master password" on the phone's SIM card, because SIM cards are more secure by default, they limit the number of attempts to enter the PIN code, and they have storage capacity. "The phonebook / SIM SMS message store should have enough space, even on 8k SIM cards. (And doesn't seem to be used by Android) (Some compression might make sense, to reduce the amount of storage needed)." Of course, not all phones use SIM cards, and on those that do, denial-of-service is a risk, as an attacker (perhaps a casual one just snooping around) could exceed the allowed number of PIN guesses and lock out the phone owner, even if they do not gain access to the data on the device. As is typical of security debates, the talk returned time and time again to whether or not providing some form of weak security was worthwhile (to prevent casual attackers), or whether, in the absence of a foolproof solution, all other solutions give users a "false sense of security" and are "a complete waste of time" for developers to attempt. Eventually a number of suggestions arose that amount to offering user-selectable "security levels," through which security-conscious users could enable strong encryption of their credentials at the cost of automated access, and the more laissez-faire could dispense with it. User danthanos called for a public API providing a secure storage service:
This service could be offered as an API to any Android app including the
mail application. In future this API could make automatic use of any h/w
based secure storage for key materials and credentials. Most of the
fundamental crypto methods and needed software libraries exist to implement
a service of this nature.
Tangential issuesGoogle has not responded with a game plan. Stadler, who marked the bug as "medium" importance last September, also commented "rest assured, I am not closing this bug. We recognize that this is causing concern for some users, and we're going to look at identifying steps that can make your data more secure" — which remains the last public word on the subject from the Android team. The full-disk encryption debuting in Honeycomb is unquestionably a step in the right direction, because it does offer protection against exposing one's password in the event of a memory card theft. Intriguingly enough, however, another commenter reported that Android already has an internal "Credential Storage" API that is not documented for public use. Several third-party Android discussion forums have also brought up this API, so it appears to be in the wild already, but there is no official discussion of it. It appears to be used by applications for storing VPN certificates and other credentials not chosen by the user, but without a published API it is not likely to be useful to developers (and abusing it may break important things as well). Android does have a "remote wipe" function (as asked about by hyperhacker in the bug discussion thread) for administrators to activate in case of theft, although it must be set up in advance. Needless to say, a remote wipe is hit-or-miss: if activated before an attacker accesses the phone, it works, if activated afterward it does no good at all. Remote wipe can also be used in ways that users may not expect. In the meantime, security-focused users and developers can always turn towards third-party Android Market tools to offer additional layers of protection. There are stand-alone applications for bulk password storage, although these do not automatically sign-in to email (or other services). There are applications that provide password-protected access to the application as a whole, and there are PGP clients and directory encryption utilities galore. Even with all of those add-ons activated, however, it will still be up to the user to make the final choice: would you rather have your phone check your email in the background (and store your account password in plaintext), or have your phone keep your password safe (and force you to supply a password for access). There's just no way to have it both ways. (Log in to post comments)
Password storage on Android devices Posted Aug 4, 2011 3:04 UTC (Thu) by thedevil (subscriber, #32913) [Link]
"Thunderbird, PINE, Evolution, KMail, etc. even IM clients all send
the account password to the server when left running unattended. Consequently, they must either store the password in plain text, ask for it on every connection attempt, or encrypt it and require the user to enter a different passphrase to unlock the storage location."
There is an easy solution: read the password from the filesystem, from a
Sadly, as far as I know among MUAs only Gnus, and maybe other Emacs based
Color me confused Posted Aug 4, 2011 17:04 UTC (Thu) by felixfix (subscriber, #242) [Link]
How does this solve anything? Maybe your description isn't clear. The problem is that if the decryption key does not come directly from user input every time it is needed, then the plaintext has to be stored somewhere. If that store itself is encrypted, then either the user has to be asked, again, for the password, or the program itself has the password, in which case you have merely moved the cleartext one step away.
This is obvious to anyone familiar with encryption and passwords, and described in the article itself. So either you haven't solved anything, or you haven't been clear.
Password storage on Android devices Posted Aug 4, 2011 3:38 UTC (Thu) by smoogen (subscriber, #97) [Link]
Hmm I wonder if some sort of key-daemon would be the solution. You start the phone and are asked for the password. It stores the passwords encrypted on disk and in memory.
Programs that need a password ask the key-daemon if they can have it and are granted on a permission basis.
Or better yet.. we make phones kerberos aware and google runs the worlds largest keytab installation :).
Password storage on Android devices Posted Aug 4, 2011 3:46 UTC (Thu) by roc (subscriber, #30627) [Link]
> the OS could "forget" the password only when the user begins the unlock
> procedure that way the background process could continue to check > messages and activate alerts, and a pickpocket would still be locked out > but it still requires the user to enter a passphrase, PIN code, gesture, > or some other form of credential every time he or she picks up the phone > to do anything. That level of inconvenience seems to be anathema to most > consumers.
You can configure Android to request a PIN every time it wakes up. I use this. Seems to me that if you encrypt the persistent password storage, and forget the plaintext password on wake-up until the PIN has been entered as you suggest, this problem is solved for the security-conscious users who use a PIN. Then if you care about security, use the PIN.
Password storage on Android devices Posted Aug 4, 2011 5:33 UTC (Thu) by martinfick (subscriber, #4455) [Link]
For those who do not use a pin, I suspect that they at least use the 9 dot matrix. Nothing prevents the dots on this matrix to be considered digits for a pin. This just leaves auto boot as a problem, but I think that this would still be a major improvement.
Password storage on Android devices Posted Aug 9, 2011 5:01 UTC (Tue) by sethml (subscriber, #8471) [Link]
If the attacker is able to read the encrypted password file from flash, a 4-digit PIN is likely to be trivial to brute-force. Storing the password on a SIM with lock-out is a decent solution, if you have a SIM card. I'm tapping this out on an Android phone with no SIM.
Per-Device Passwords Posted Aug 4, 2011 5:55 UTC (Thu) by wtogami (subscriber, #32325) [Link]
I really like Google's 2-factor authentication and per-device passwords. The only password stored on my phone is a per-device password for GMail. If they steal my phone, they cannot use that to break into my GMail account. If they steal my real GMail password (keylogger or something), they also need to steal my phone to have the 2nd-factor to login to GMail.
Sure, it isn't perfect, but it's better than without.
Per-Device Passwords Posted Aug 4, 2011 12:37 UTC (Thu) by Comet (subscriber, #11646) [Link]
Except the "application-specific passwords" are not application or device specific. They never get locked down to be for the application with which they're first used.
So if you create 3 app-specific passwords, you've created three passwords which have access to any of your Google services, bypassing the two-factor auth you may have setup. Sure, Google's auth system will only show you those passwords once, but if they're stolen from a device, game over.
Until Google start locking down those passwords so that they're only valid for accessing the service with which they're first used, they're a gaping hole; their only redeeming attribute is that the passwords have better entropy than most humans will typically choose.
Ideally, the app-specific passwords would have a checkbox, "needs to be a secure signature upon this password", so that a signing-key stored in a TPM could sign the password, nonce and a timestamp, then send all but the password. Publish the algorithm. Then the unchecked passwords are still as exposed, so if you're using a third-party app you have a problem, but anyone writing software with custom support could get something halfway decent.
But by this point you're half-way towards OAUTH and long-term issued credentials anyway. So don't do the custom schemes but accept the need to implement the crazy.
Per-Device Passwords Posted Aug 4, 2011 13:36 UTC (Thu) by pj (subscriber, #4506) [Link]
OAUTH + some management seems to be the answer I think would be fine:
1) OAUTH so that no app has my actual password, they have essentially per-app passwords
2) management somewhere (my OAUTH provider?) that will let me de-auth all the passwords associated with my device in case it's lost.
Though honestly, I'd be pretty happy with just 1. first-use-time login and 2. a decent phone lock-screen.
Password storage on Android devices Posted Aug 4, 2011 10:26 UTC (Thu) by fb (subscriber, #53265) [Link]
> Of course, Android is not alone in this regard. Apple's iOS and other mobile platforms also store passwords on the device in plain text,
I thought the worst part of the problem was that in Android every program with SDCard access could steal the password. Isn't the case that in iOS each program writes to its own separate storage area? That at least protects it from trivial access from any other application.
Password storage on Android devices Posted Aug 7, 2011 18:52 UTC (Sun) by martinfick (subscriber, #4455) [Link]
No, I don't even have an sdcard in my android tablet. It certainly is not storing anything on the sdcard, yet I have passwords stored. The sdcard is mainly used for things like photos that applications expect you to want to share with other apps.
Password storage on Android devices Posted Aug 4, 2011 13:56 UTC (Thu) by neufeld (subscriber, #9124) [Link]
Perhaps, for the truly security-obsessed, the solution is to enforce an actual physical separation. Passwords aren't stored on the phone, but on a small bluetooth dongle that you keep in another pocket. When the phone needs a password, it queries the dongle for it, and never stores it locally. Phone continues to be useful to the owner, but now the pickpocket needs to grab a second object at the same time if he wants to make use of the passwords stored on it.
Password storage on Android devices Posted Aug 4, 2011 16:40 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Bluetooth might have two much range, maybe some sort of PAN so you have to be touching the phone. Any of these kind of solutions could have real problems with attackers who are physically near the victim, or whole-sale compromise by installing the right radios in a crowded area or even on a well-used stairwell railing or similar.
Who is the enemy? Posted Aug 4, 2011 18:07 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]
If the problem is lost/stolen phones falling into the hands of mortals the problem is solvable. On boot and inactivity require a PIN/password to access the UI. Encrypt the removable storage if it has passwords or at least encrypt the password files with a key stored in the phone itself, preferably stored in the crypto area of the CPU or in the SIM. On boot don't access the keys until a successful user login. Doing those few steps stops anyone who isn't prepared to get into a stolen phone without interrupting power and hook up to the memory bus without crashing the phone. So unless your opponent is a nation state or seriously funded corporate spy you would be pretty safe.
Oh, and you would also need to enforce signed OS images from trusted sources (i.e. Trusted Computing) for it to be secure against someone just flashing a version of Android that didn't enforce the rules. This problem exists regardless what solution is proposed. Whether it is worth that price I leave to the reader.
A few more precautions in the hardware could close most of the remaining bugs but probably at expenses in bill of materials and user irritation most would be unwilling to pay for. So stop 99% of the problem and leave the 1% for secure MILSPEC hardware.
don't use passwords? Posted Aug 8, 2011 12:08 UTC (Mon) by johill (subscriber, #25196) [Link]
You could use kerberos to authenticate, then you'd have to enter the password maybe once a week or so to renew your ticket and could probably revoke it remotely when you lost the phone...
Not that I know if android supports kerberos.
Password storage on Android devices Posted Aug 10, 2011 13:47 UTC (Wed) by hpro (subscriber, #74751) [Link]
Doesn't iOS since long have an encrypted keychain, where applications can only access data stored by itself, or other applications signed with the same key?
Adding some type of credentials storage would not be a security panacea, but would surely make it a lot easier for app developers which would not have to worry about reinventing the security wheel, which we know from experience, is guaranteed to generate lots of really bad (unsecure) solutions.
If such a feature was part of the Android API, then the underlying mechanism can be improved over time, so if encryption key hardware modules make it in to hansets, that would be used and so on. It would even be imaginable that you could have a completely different back-end for the credentials storage that stores your (encrypted) passwords in the cloud, and give the user the possibility of controlling system-wide the timeout for passwords, and so on.
Password storage on Android devices Posted Aug 11, 2011 16:15 UTC (Thu) by slashdot (guest, #22014) [Link]
Why not just add hardware AES encryption to the whole flash storage of the device?
In fact, it's ridiculous that devices are shipping without full disk encryption.
Password storage on Android devices Posted Aug 11, 2011 21:39 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
full disk encryption that encrypts the media, but decrypts it when plugged into a computer (so that the filesystem on the device is accessable to the computer for things like software upgrades) is pretty worthless.
full disk encryption that allows the system to continue running (for things like fetching e-mail or updating a calendar periodically) is also pretty worthless.
|
|||||||||||||