I disagree. Putting my password in base64 is NOT the most they could do.... If your phone is rooted, ANY other app with root access can access the preferences_storage database file and wa-lah it has your passwords. Also, obviously 30 seconds on a file manager someone can locate the file and pull passwords from it easily.
As for a non-rooted phone, yes we have permission structure standing between my password and the world. Personally I would rather have something more than that. All someone has to do at that point is root your stolen phone and boom- has your passwords, or, some malicious software could use an exploit of some sort and masquerade as a system app and bam, your passwords are stolen, or someone could 'hey let me borrow your phone a sec', plug in usb do adb backup and yes you guessed it, bam has your passwords... Seems like the smart thing to do with someone's password that they are trusting your application with is to..... encrypt it with a master password? Yet after years of this feature being requested it remains to be seen implemented.... Also, encrypting your entire phone through the android option doesn't really help with any of this much either. If your phone is rooted, the above remains unchanged, but with a non-rooted phone it becomes a bit more complicated in getting to the preferences_storage file, yet far from impossible as from most devices you can do an adb backup while the phone is on (user already entered their decryption password) and pull the data off that way, unencrypted. k-9 just needs to implement mail password encryption with a master password. I'm perplexed as to why this hasn't been done yet... On Tuesday, November 19, 2013 at 11:40:45 PM UTC-8, dnet wrote: > > It depends what you consider secure. (Disclaimer: I have some commits in > K-9 code, but I wouldn't call myself a K-9 mail developer, and my views > doesn't represent theirs.) > > If you'd like to know if the K-9 mail developers did everything they can > to protect the passwords from other applications, the answer is yes. If > the OS is running, 3rd party applications would have a hard time > accessing your K-9 mail credentials. > > However, if you'd ask whether your password is extractable if your phone > is stolen or lost, that's another issue. An issue that has nothing to do > with K-9 mail and everything to do with your setup. If your device > (phone, tablet, whatever) doesn't require a password at boot (not a PIN > for the SIM card, a real password for the OS), your storage is not > encrypted, thus a sufficiently skilled attacker can get any of your apps > data, including K-9 mail credentials. > > Sure, a simple screen lock pattern can deter an everyday person from > getting access, and with security, you always have to start with what > kind of attacker you'd like to protect yourself against. If it's just > malicious apps that doesn't have last months privilege escalation > exploit, or the next door kid with no security knowledge, you're > probably OK. > > Cheers, > Andr�s Veres-Szentkir�lyi > > On Tue, Nov 19, 2013 at 10:33:01PM -0800, [email protected] <javascript:> > wrote: > > Hello, > > > > Please, i want to know if the passwords of the accounts are securly > stored on the device ? > > > > Thank y ou. > -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
