Android saves passwords in plaintext, another bug confirmed for the platform
Google employee Andy Stadler said that the lack of encryption on the password files was done out of necessity. The post by Stadler indicated that if they were encrypted the stored passwords would not work on email providers running on the POP3, IMAP, SMTP and Exchange ActiveSync protocols.
Developers even got to the extent of arguing that encrypted passwords are actually more likely to be hacked than unencrypted ones. Developers said that the use of encryption lulls the user into a false sense of security, making them feel safe performing certain actions they otherwise wouldn’t. For this reason developers have sometimes argued that encryption simply obscures rather than solves the security problem.
Stadler, to this, replies that, “Simply obscuring your password (e.g. base64) or encrypting it with a key stored elsewhere will not make your password or your data more secure. An attacker will still be able to retrieve it. In particular, some claims have been made about some of the other email clients not storing the password in cleartext. Even where this is true, it does not indicate that the password is more secure.”
Now that is some issue, to encrypt, or not to encrypt !?