DerScanner
Home / Vulnerability Database / Android : AccountManager usage
Android

Android : AccountManager usage

Classification

OWASP Mobile Top 10 2014
M2-Insecure Data StorageM4-Unintended Data Leakage
OWASP Mobile Top 10 2016
M1-Improper Platform UsageM2-Insecure Data Storage
PCI DSS 4.0
8.6
HIPAA
§164.312 (a)(1)§164.312 (a)(2)(iv)

Overview

AccountManager class is used for storing user credentials. This can lead to loss of confidentiality.

Standard AccountManager class provides the ability to centrally store user account data. Account data is stored in unencrypted form in a database. The operating system provides a mechanism to limit access to this databased on the application ID (UID): data can be accessed only by the application that put it into the AccountManager database.

However, on devices with unauthorized privileged access (root), an attacker can easily bypass the protection mechanism.

References

  1. AccountManager - developer.android.com
  2. Security Issue Exposed by Android AccountManager - Yitao Yao / security-n-tech.blogspot.ru
  3. What protects Android AccountManager passwords from being read by other apps? - stackoverflow.com
  4. Storing a password - stackoverflow.com
MEDIUM

DerScanner Severity Score

Do you want to fix Android : AccountManager usage in your application?

See also

Android

Android : Debug mode on

Android

Android : Error handling: generic exception

Android

Android : HTTP usage