It is discovered that Samsung’s own S-Memo app is storing passwords in plain text. This is quite surprising. Samsung Galaxy S3, the most popular Android smartphone on the market right now, doesn’t use any technique to protect the passwords. We enter a lot of passwords into smarphones nowadays, such as social networks, emails, and even bank accounts. We are so used to it that we tend to ignore the associated vulnerabilities. With a rooted Android phone, you can get access to every file on the device. Just like in desktop Linux, super user access means you can break whatever you want, and the OS can do very little to stop you.
A common approach for password security is to store a hashed form of the plaintext password. A cryptographic hash algorithm is applied when a user types in a password. The user is permitted access only if the has value generated from the user’s entry matches that stored in the system. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password. If a cryptographic hash function is well designed, it is computationally infeasible to reverse the function to recover a plaintext password.
Fortunately, the volume of people affected immediately is not large. In addition, rooting the Samsung Galaxy S3 requires some uncommon software tools. So your phone is not easily hacked as long as it is not rooted already. The problem is not difficult to fix. Given the severity of the discovery, Samsung may respond quickly and update the S-Memo app with secure password storage.