security
107 views
Skip to first unread message
nomad...@gmail.com
Nov 20, 2013, 1:33:01 AM11/20/13
to k-9-...@googlegroups.com
Hello,
Please, i want to know if the passwords of the accounts are securly stored on the device ?
Thank y ou.
Veres-Szentkiralyi Andras
Nov 20, 2013, 2:40:45 AM11/20/13
to k-9-...@googlegroups.com
It depends what you consider secure. (Disclaimer: I have some commits in
K-9 code, but I wouldn't call myself a K-9 mail developer, and my views
doesn't represent theirs.)
If you'd like to know if the K-9 mail developers did everything they can
to protect the passwords from other applications, the answer is yes. If
the OS is running, 3rd party applications would have a hard time
accessing your K-9 mail credentials.
However, if you'd ask whether your password is extractable if your phone
is stolen or lost, that's another issue. An issue that has nothing to do
with K-9 mail and everything to do with your setup. If your device
(phone, tablet, whatever) doesn't require a password at boot (not a PIN
for the SIM card, a real password for the OS), your storage is not
encrypted, thus a sufficiently skilled attacker can get any of your apps
data, including K-9 mail credentials.
Sure, a simple screen lock pattern can deter an everyday person from
getting access, and with security, you always have to start with what
kind of attacker you'd like to protect yourself against. If it's just
malicious apps that doesn't have last months privilege escalation
exploit, or the next door kid with no security knowledge, you're
probably OK.
Cheers,
Andr�s Veres-Szentkir�lyi
K-9 code, but I wouldn't call myself a K-9 mail developer, and my views
doesn't represent theirs.)
If you'd like to know if the K-9 mail developers did everything they can
to protect the passwords from other applications, the answer is yes. If
the OS is running, 3rd party applications would have a hard time
accessing your K-9 mail credentials.
However, if you'd ask whether your password is extractable if your phone
is stolen or lost, that's another issue. An issue that has nothing to do
with K-9 mail and everything to do with your setup. If your device
(phone, tablet, whatever) doesn't require a password at boot (not a PIN
for the SIM card, a real password for the OS), your storage is not
encrypted, thus a sufficiently skilled attacker can get any of your apps
data, including K-9 mail credentials.
Sure, a simple screen lock pattern can deter an everyday person from
getting access, and with security, you always have to start with what
kind of attacker you'd like to protect yourself against. If it's just
malicious apps that doesn't have last months privilege escalation
exploit, or the next door kid with no security knowledge, you're
probably OK.
Cheers,
Andr�s Veres-Szentkir�lyi
nomad...@gmail.com
Nov 20, 2013, 3:40:52 AM11/20/13
to k-9-...@googlegroups.com
Thank you dnet...
Yes my question is about protecting the passwords (and login) from another software?
Yes my question is about protecting the passwords (and login) from another software?
Peter
Nov 24, 2013, 5:50:57 AM11/24/13
to K-9 Mail Forum
I have just tried to download and install the latest version of K9-4.801 and I get an error (there is a problem parsing the package) when I try to install it, Has anyone else experienced the same issue and is there a simple solution or reason I am getting this.
I have noticed also that the size is a lot smaller (3.2mb) than the previous install package (3.9mb) could it be that the file on the server is corrupted, although there has been quite a few thousand downloads so that is unlikely unless nobody else has reported it!
Peter
--
Sent from my Android tablet, with K-9 Mail. Please excuse my brevity.
I have noticed also that the size is a lot smaller (3.2mb) than the previous install package (3.9mb) could it be that the file on the server is corrupted, although there has been quite a few thousand downloads so that is unlikely unless nobody else has reported it!
Peter
--
Sent from my Android tablet, with K-9 Mail. Please excuse my brevity.
Voytek
Nov 24, 2013, 5:55:16 AM11/24/13
to k-9-...@googlegroups.com
Yes, I struck same few days ago, tried downloading again, again got the same error
Sent from Kaiten Mail. Please excuse my brevity.
Philip
Nov 24, 2013, 6:38:48 AM11/24/13
to k-9-...@googlegroups.com, Voytek
Are you both running KitKat? I believe that the 800 series releases will not run on earlier versions of Android.
regards
Philip
Sent from my Android phone with K-9 Mail.
Philip
Sent from my Android phone with K-9 Mail.
Voytek
Nov 24, 2013, 8:29:14 AM11/24/13
to k-9-...@googlegroups.com
Nope, that might explain it,I have 4.3? , Nexus7
Jesse Vincent
Nov 24, 2013, 10:25:59 AM11/24/13
to k-9-mail
We have a couple tweaks before 4.8 is ready for earlier releases. I've been mostly offline for two weeks, but hope to get to them this week
--
--
You received this message because you are subscribed to the K-9 Mail Users List.
To post to this group, send email to k-9-...@googlegroups.com
To unsubscribe, email k-9-mail+u...@googlegroups.com
To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list
For more options, visit this group at http://groups.google.com/group/k-9-mail
---
You received this message because you are subscribed to the Google Groups "K-9 Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k-9-mail+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Peter
Nov 24, 2013, 1:06:25 PM11/24/13
to k-9-...@googlegroups.com, Jesse Vincent
Sadly not, I am running 4.2 and 4.1.2 on both of my devices.
Peter
---------------
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
---------------
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Voytek
Nov 26, 2013, 6:29:00 PM11/26/13
to k-9-...@googlegroups.com
fwiw, nexus 7 got the kitties this morning
kit Kat?
fwiw, series 8xxx self installed itself shortly thereafter, 4.801
All's good
Sent from Kaiten Mail. Please excuse my brevity.ody>
Peter
Nov 28, 2013, 3:37:48 AM11/28/13
to k-9-...@googlegroups.com, Voytek
Is it to be generally accepted that 4.8xx versions will never work on pre-kitkat Android devices or is there a plan for the developers to overcome whatever the issues are?
Peter
--
Sent from my Android tablet, with K-9 Mail. Please excuse my brevity.
--
Sent from my Android tablet, with K-9 Mail. Please excuse my brevity.
Jesse Vincent
Nov 28, 2013, 6:50:43 PM11/28/13
to k-9-mail, Voytek
On Nov 28, 2013 3:37 AM, "Peter" <pe...@moatfarm-cp.co.uk> wrote:
>
> Is it to be generally accepted that 4.8xx versions will never work on pre-kitkat Android devices or is there a plan for the developers to overcome whatever the issues are?
>
Just haven't had time to deal yet. Happy to take patches.
notlisted notlisted
Sep 3, 2015, 7:33:55 PM9/3/15
to K-9 Mail
I disagree. Putting my password in base64 is NOT the most they could do.... If your phone is rooted, ANY other app with root access can access the preferences_storage database file and wa-lah it has your passwords. Also, obviously 30 seconds on a file manager someone can locate the file and pull passwords from it easily.
As for a non-rooted phone, yes we have permission structure standing between my password and the world. Personally I would rather have something more than that. All someone has to do at that point is root your stolen phone and boom- has your passwords, or, some malicious software could use an exploit of some sort and masquerade as a system app and bam, your passwords are stolen, or someone could 'hey let me borrow your phone a sec', plug in usb do adb backup and yes you guessed it, bam has your passwords...
Seems like the smart thing to do with someone's password that they are trusting your application with is to..... encrypt it with a master password? Yet after years of this feature being requested it remains to be seen implemented....
Also, encrypting your entire phone through the android option doesn't really help with any of this much either. If your phone is rooted, the above remains unchanged, but with a non-rooted phone it becomes a bit more complicated in getting to the preferences_storage file, yet far from impossible as from most devices you can do an adb backup while the phone is on (user already entered their decryption password) and pull the data off that way, unencrypted.
k-9 just needs to implement mail password encryption with a master password. I'm perplexed as to why this hasn't been done yet...
As for a non-rooted phone, yes we have permission structure standing between my password and the world. Personally I would rather have something more than that. All someone has to do at that point is root your stolen phone and boom- has your passwords, or, some malicious software could use an exploit of some sort and masquerade as a system app and bam, your passwords are stolen, or someone could 'hey let me borrow your phone a sec', plug in usb do adb backup and yes you guessed it, bam has your passwords...
Seems like the smart thing to do with someone's password that they are trusting your application with is to..... encrypt it with a master password? Yet after years of this feature being requested it remains to be seen implemented....
Also, encrypting your entire phone through the android option doesn't really help with any of this much either. If your phone is rooted, the above remains unchanged, but with a non-rooted phone it becomes a bit more complicated in getting to the preferences_storage file, yet far from impossible as from most devices you can do an adb backup while the phone is on (user already entered their decryption password) and pull the data off that way, unencrypted.
k-9 just needs to implement mail password encryption with a master password. I'm perplexed as to why this hasn't been done yet...
cketti
Sep 4, 2015, 8:21:56 AM9/4/15
to k-9-...@googlegroups.com
The following scenarios are not covered
by Android's or K-9 Mail's security model:
- protecting against apps with root access
- protecting against local attackers when the phone is unlocked
So yes, if you grant root access to an app it will be able to read your passwords stored by K-9 Mail. If someone gets access to your phone while it's unlocked they can read your mail and with some effort get your passwords.
A master password might make it a bit more difficult for attackers, but it doesn't protect you either. If an app has root it can simply modify K-9 Mail's code to send out the decrypted passwords once the user has entered the master password. A master password might protect you in the situation when someone has access to your phone while it is unlocked but K-9 Mail is locked. To me that tiny bit of added security doesn't warrant the effort of implementing encrypted passwords. That being said, K-9 Mail is an open source app and we welcome contributions.
-cketti
- protecting against apps with root access
- protecting against local attackers when the phone is unlocked
So yes, if you grant root access to an app it will be able to read your passwords stored by K-9 Mail. If someone gets access to your phone while it's unlocked they can read your mail and with some effort get your passwords.
A master password might make it a bit more difficult for attackers, but it doesn't protect you either. If an app has root it can simply modify K-9 Mail's code to send out the decrypted passwords once the user has entered the master password. A master password might protect you in the situation when someone has access to your phone while it is unlocked but K-9 Mail is locked. To me that tiny bit of added security doesn't warrant the effort of implementing encrypted passwords. That being said, K-9 Mail is an open source app and we welcome contributions.
-cketti
--
--
You received this message because you are subscribed to the K-9 Mail Users List.
To post to this group, send email to k-9-...@googlegroups.com
To unsubscribe, email k-9-mail+u...@googlegroups.com
To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list
For more options, visit this group at http://groups.google.com/group/k-9-mail
---
You received this message because you are subscribed to the Google Groups "K-9 Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k-9-mail+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
notlisted notlisted
Sep 4, 2015, 12:33:21 PM9/4/15
to K-9 Mail
Cketti,
Thanks for your reply, those are some valid points you made. My main concern over all of this is that there are a large number of people that use k-9 mail on a rooted phone that (like me for the last year) don't realize the security vulnerability of using this mail app. Bottom line, probably 2 min tops in a file manager of having someone's rooted phone in my hand with k-9 mail installed, I have their email passwords. Same goes for any app with root access.
If, on the other hand, you are using an app such as r2mail2, which encrypts passwords via android's keystore system and briefly de-crypts / re-encrypts as communication with the mail server is needed, this is simply no where near the same level of risk. The attack vector becomes complicated greatly as android's keystore utilizes kernel level hardware trust zones which limit which apps have access to which encrypted information. Ofcourse
Or, as the way Emil security is going these days, using an oauth system where tokens are stored on phone for logins and are worthless to attackers completely unless tthey are signing in via that device and even then they are limited to that one email account such as, say gmail, rather than having a password for an entire google account.
There is no such thing as perfect security. If someone wants your passwords bad enough, they will get them. Our job as users and hopefully the job of app developers is to exponentially increase the effort it takes to steal information. Sure, someone could throw a rock through my sliding door to get in my house, but I cut dowels and place them in the tracks to decrease the number of potential attack vectors.
I would love to lend a hand if I knew more about coding, but I'm not a programmer :(
I agree that simply having a master password to prevent access into k-9 is only a tiny bit of security (probably a huge leap forward in privacy however) but, encrypting passwords through atleast a somewhat secure keystore type method should be open priority for this app right now.
This doesn't just affect rooted users, as any phone can become rooted and there are exploits that can subvert android's root based security model anyways. K-9's mail server passwords should NOT be stored in plain text. I believe the vast amount of users agree with me on this.
Actually, the first priority for k-9 at this point should be a warning that pops up prior to mail server passwords being entered that highlights the security risk they are about to embark on. Priority #2 should be fixing this obvious security hole.
Thanks for your reply, those are some valid points you made. My main concern over all of this is that there are a large number of people that use k-9 mail on a rooted phone that (like me for the last year) don't realize the security vulnerability of using this mail app. Bottom line, probably 2 min tops in a file manager of having someone's rooted phone in my hand with k-9 mail installed, I have their email passwords. Same goes for any app with root access.
If, on the other hand, you are using an app such as r2mail2, which encrypts passwords via android's keystore system and briefly de-crypts / re-encrypts as communication with the mail server is needed, this is simply no where near the same level of risk. The attack vector becomes complicated greatly as android's keystore utilizes kernel level hardware trust zones which limit which apps have access to which encrypted information. Ofcourse
Or, as the way Emil security is going these days, using an oauth system where tokens are stored on phone for logins and are worthless to attackers completely unless tthey are signing in via that device and even then they are limited to that one email account such as, say gmail, rather than having a password for an entire google account.
There is no such thing as perfect security. If someone wants your passwords bad enough, they will get them. Our job as users and hopefully the job of app developers is to exponentially increase the effort it takes to steal information. Sure, someone could throw a rock through my sliding door to get in my house, but I cut dowels and place them in the tracks to decrease the number of potential attack vectors.
I would love to lend a hand if I knew more about coding, but I'm not a programmer :(
I agree that simply having a master password to prevent access into k-9 is only a tiny bit of security (probably a huge leap forward in privacy however) but, encrypting passwords through atleast a somewhat secure keystore type method should be open priority for this app right now.
This doesn't just affect rooted users, as any phone can become rooted and there are exploits that can subvert android's root based security model anyways. K-9's mail server passwords should NOT be stored in plain text. I believe the vast amount of users agree with me on this.
Actually, the first priority for k-9 at this point should be a warning that pops up prior to mail server passwords being entered that highlights the security risk they are about to embark on. Priority #2 should be fixing this obvious security hole.
Reply all
Reply to author
Forward
0 new messages