Android saves passwords in plaintext, another bug confirmed for the platform

hacked_droid According to sources, Google’s Android OS stores passwords in plain text leaving them vulnerable to hackers and alike. Passwords for user’s email accounts are saved into the SQLite database in Google’s software in a plain text format, without any encryption. This means that the passwords are stored as they are written, and can easily be hacked through the database.

Google employee Andy Stadler said that the lack of encryption on the password files was done out of necessity. The post by Stadler indicated that if they were encrypted the stored passwords would not work on email providers running on the POP3, IMAP, SMTP and Exchange ActiveSync protocols.

Developers even got to the extent of arguing that encrypted passwords are actually more likely to be hacked than unencrypted ones. Developers said that the use of encryption lulls the user into a false sense of security, making them feel safe performing certain actions they otherwise wouldn’t. For this reason developers have sometimes argued that encryption simply obscures rather than solves the security problem.

Stadler, to this, replies that, “Simply obscuring your password (e.g. base64) or encrypting it with a key stored elsewhere will not make your password or your data more secure.  An attacker will still be able to retrieve it. In particular, some claims have been made about some of the other email clients not storing the password in cleartext.  Even where this is true, it does not indicate that the password is more secure.”

Now that is some issue, to encrypt, or not to encrypt !?