-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Android HTC Mail insecure password management Classification: =============== Level: low-[MED]-high-crit ID: HEXVIEW*2012*08*05*01 URL: http://www.hexview.com/docs/20120805-1.txt Overview: ========= HTC is $9.5B(USD) Taiwanese manufacturer of smartphones and tablets, primarily Android-based. HTC's devices account for 5% of the smartphone market and for about 15% of all Android devices sold in the US. Most HTC devices come with an application called HTC Mail. HexView discovered that HTC Mail insecurely stores mailbox credentials. Affected products: ================== HTC Mail application, all versions (package: com.htc.android.mail) Vulnerability Summary: ====================== Android OS comes with a feature called AccountManager that lets applications manage user credentials in a more or less secure fashion. HTC Mail instead stores usernames and passwords directly in its database obfuscated with a weak, trivial to reverse algorithm. Technical Details: ================== HTC Mail application stores user credentials in the 'accounts' table in its 'mail.db' SQLite database. The table contains usernames, email addresses, hostnames, mailbox and SMTP passwords for each mail account configured in the Mail application. All data is stored in a plain text except for passwords that are "encrypted" as follows: 1. Password characters at odd and even positions are swapped. 2. The byteswapped string is base-64 encoded twice. 3. The resulting base64-encoded password is stored in the database. Demonstration: ================== HexView produced a script for the GameSpector application (available in Google Play) that decodes and displays HTC mail passwords. GameSpector requires root access. Distribution: ============= This document may be freely distributed through any channels as long as its content is kept intact. Commercial use of the information in the document is not allowed without written permission from HexView. Please direct all questions to vtalk@hexview.com About HexView: ============== HexView is a technology consulting boutique offering a variety of information security services, including security assessments of mobile applications. For more information visit http://www.hexview.com Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk@hexview.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlAezhcACgkQDPV1+KQrDqQW8gCfcT0koImRoJppbUwVkweaoxmG xD4Anj4osjlOWR1JmnWbLAwcoeHN0UjJ =g+yV -----END PGP SIGNATURE-----