Hello Habr! I am a young developer specializing in Android development and information security. Not long ago I wondered: how does Google Chrome store saved user passwords? Analyzing information from the network and the files of Chrome itself (this article was especially informative), I discovered certain similarities and differences in the implementation of saving passwords on different platforms, and for demonstration I wrote applications for retrieving passwords from the Android version of the browser.
How it works?
As we can know from various online publications on this topic, Google Chrome on PC stores the passwords of its users in the following directory:"C:\Users\SomeUser\AppData\Local\Google\Chrome\User Data\Default\" in file " Login Data".
This file is a SQLite database, and it is quite possible to open and view it. In the table logins we can see the following fields of interest to us: origin_url(Website address), username_value(login), password_value(password). The password is represented as a byte array, and is encrypted using a machine key, individual for each system. You can learn more from this article. Thus, there is some kind of protection in the Windows client.
Android
But since I’m more into Android, my attention was drawn to the Android browser client.“Picking open” the package Google Chrome (com.android.chrome), I found that its structure is very similar to the structure of the PC client, and it was not difficult to find exactly the same database responsible for storing user passwords. The full path to the database is as follows: "/data/data/com.android.chrome/app_chrome/Default/Login Data". In general, this database is very similar to its “big sister” from the PC version, with only one, but very significant difference - passwords are stored here in clear text. The question arises: is it possible to programmatically extract passwords from the database? The answer turned out to be quite obvious - yes, if your application has root rights.
Implementation
For greater clarity, it was decided to make our own tool for retrieving passwords from the browser database.To describe its work in a nutshell, it works like this:
- Gets root.
- Copies the Chrome database to its own directory.
- Using chmod, accesses a copy of the database.
- Opens the database and retrieves information about logins and passwords.
Conclusion
As a conclusion from the work done, we can say that if you have root rights, pulling out the password database from the browser and sending it to your server is a completely solvable task, and this fact should make you think about whether you should trust any application with superuser rights .I hope this article was informative. Thank you for your attention!
I was digging around on the Internet about my business and came across some very interesting statements in a search. They say that on devices running Android, passwords are stored in the database in clear text. Fantastic. Are Google programmers really that stupid? But home-grown hackers, as always, are at their best :-). It would seem that everything is so simple, I copied the file /data/system/accounts.db or /data/system/users/0 (depending on the version of Android) from the phone, opened it with a sqlite browser and there they are, passwords, on a silver platter! Use it. So who read the passwords? A? I will not describe the authentication process in detail. It will be boring. So, when you register your device with your Google account, you go through the standard authentication procedure. That is, enter your email and password. After this, the device sends the name and model of the device, imei to the server and receives an auth token (authorization token). valid only for this device. So it is stored in account.db.
And almost all modern services use this type of authorization. Therefore, if you have forgotten the password for your Google account, looking for it on your phone is completely useless. Try the standard account password recovery tool. To see which devices are connected to your account (provided you have a password), go to your Google account - settings - account - personal account and you will see your device. By the way, you can try to search for it if the device is connected to the Internet.
Sorry, I called my phone a sock, it just gets lost from time to time :-). So, if your device is stolen or you lose it, you can disable it in your account.
After this, the auth token will be invalid and it will be impossible to connect to this account from this device. But the data on the device, mail and other things, if they were not encrypted, can be read. In your account, you can also remotely erase data from your device. That is, when you press this button, the first time the device connects to the Internet, the data will be deleted. This is unless you count them in advance without logging into the Internet. It is advisable, of course, to encrypt the data on the device, but this is a completely different topic. In general, Google recommends two-factor authentication. Storing passwords is required for Email protocols POP3, IMAP, SMTP and Exchange ActiveSync. All of them require you to provide a password every time you connect to the server. And then they are encrypted, although not so difficult. And passwords were stored in clear text only at the dawn of the development of the Internet :-).
I've been using the amazing password storage service LastPass for years and find it to be the best of its kind. However, for the Android platform, this service only offers a paid option, which is not suitable for everyone. Therefore, in this article we will look at how to extract your passwords from LastPass, transfer them to Android and organize their secure storage and convenient use.
1. Export passwords from LastPass
Retrieving your passwords from this service is very simple, the process only takes a few clicks. To do this, you need to go to the service’s web interface and select “Export” in the main menu. After this, you need to specify the file name and location to save it on your computer.
2. Convert LastPass passwords to KeePass passwords
To work with passwords on a mobile device, we will use the program. It has clients for almost all platforms, has proven itself in terms of security, is convenient and free. But before you transfer your passwords to your mobile device, you need to convert them into a form that this program can understand. This feature exists in the desktop version of KeePass.
Install KeePass on your computer and create a new password database using one of your Dropbox folders as the location. Then import your LastPass password file into the password database you created.
3. Keepass2Android
Once your passwords are in a form KeePass can understand, you can transfer them directly to your mobile device. To do this, it is best to use the Keepass2Android mobile client, which can synchronize your password database via Dropbox. Install this program, and then open the password database you created earlier.
4. Automatically fill passwords
One of the most convenient features of LastPass is the ability to automatically fill in credentials on saved sites. Keepass2Android also has a similar function, although it is implemented a little differently. The program has a special keyboard with which passwords are entered. This happens as follows.
- You open the login page in your browser (almost all Android browsers are supported).
- Using the “Send” menu, you forward this page to Keepass2Android. The program finds a password suitable for this page in its database.
- Then you are prompted to select a keyboard. Select the Keepass2Android option.
- A special keyboard appears, on which, using special keys, you can enter your login and password for the open page in the required fields in one click.
Now you will have on your mobile gadget a well-protected and synchronized database containing all your passwords. In addition, we get the opportunity to conveniently enter passwords using a special keyboard, which allows you to very quickly and conveniently log into the sites you need.
Surely each of us is registered on some social network, or at least just has an email account. And each of us should understand that simple passwords are easy to guess and should be abandoned. But, unfortunately, not all people follow this and may simply be dishonest when choosing a password by setting deliberately unreliable passwords, like "123456" or very common "qwerty". Yes, such passwords are easy to remember, but if they store personal information for you, then most likely you will have to say goodbye to it soon. As for the services that store our passwords, they were born a very long time ago, but mobile versions appeared not so long ago.
So, today’s review of the most popular applications for storing passwords includes: mSecure Password Manager, RoboForm, KeePassDroid, Last pass, 1Password Reader And Safebox.
mSecure Password Manager
- Category: Job
- Developer: mSeven Software LLC
- Version: 3.5.3
- Price: 10$ – Google Play
mSecure Password Manager- an application that differs from the others presented in the review in that it has simply enormous functionality and the most structured interface (it is convenient to view not only on a smartphone, but also on a tablet).
If this is the first time you have launched this application, you will be prompted to enter a password and remember it. By setting a password for the application, you thereby protect your data, which you can later add and set separate passwords for. A distinctive feature of this application is the presence of several methods for creating backup copies of data and the ability to synchronize with both mobile devices and personal computers. If desired, a copy of the data can be sent to you by email, saved to a memory card, or even uploaded to cloud storage Dropbox.
It’s worth saying a few words about encryption methods, because it is thanks to 256-bit encryption using the Blowfish algorithm that your data is well protected. As already mentioned, the application has a very convenient and well-structured interface that allows you to easily add files or find the information you need. In addition, for each file you can assign one of the 200 available icons.
The application is distributed on a paid basis and can be purchased at Google Play at a price of $10. The price, in my opinion, is too high, especially since the desktop version is for Windows It costs even more – about $20.
pros:
- Convenient application interface;
- 256-bit data encryption;
- Several ways to create data backups;
- Fast and stable operation of the application.
Minuses:
- High price.
RoboForm
- Category: Personalization
- Developer: Siber Systems Inc
- Version: 4.04
- Price: Free - Google Play
RoboForm– a very old service designed to store the most confidential data. This service was released so long ago that it managed to become popular on such operating systems as Palm OS And Windows Mobile, but the developers did not stop there and released a version for both iOS and Android.
As for the available functionality, everything is standard: the ability to store passwords, divide information into different categories, automatically generate passwords, and, of course, synchronization with well-known cloud storages (this function is automatically performed the first time you launch the application on a mobile device).
For more functional work on the network, the application prompts the user to install the necessary extensions on such popular browsers as Firefox And Dolphin, without which you can only create password-protected notes.
This service is best used in constant synchronization with the desktop version of the program. And the most important point is the fact that you can do this for free. The RoboForm application for Android can be downloaded from Google Play absolutely free of charge.
Pros:
- The server is absolutely free;
- Convenient extensions for mobile browsers;
- Good functionality.
Minuses:
- Lack of Russian language;
- Not the most user-friendly interface.
KeepPassDroid
- Category: Tools
- Developer: Brian Pellin
- Version: 1.99.11
- Price: Free - Google Play
KeepPassDroid– another password storage manager, the functionality of which can be tested absolutely free, while the source code of the application can be used by absolutely any user. This feature can be called a huge plus and we thank the author of the application for this opportunity.
The app's features are quite classic. The first launch means creating a key file in which all information about accounts and passwords will be stored. All passwords will be encrypted using a pre-prepared AES encryption algorithm.
Despite its convenient and simple interface, the application can easily group entries. This feature allows you to store data from multiple services in one application. In addition, the application can easily copy your login and password in just one click. After the data has been copied, you will see a notification in the status bar indicating the successful completion of the data transfer.
Another useful function in the application is the ability to create an automatic password, in which you need to specify which characters will be included in the password, its length, the presence of special characters and other parameters.
It is precisely thanks to its freeness and free distribution that the application KeepPassDroid has several third-party clients for working on a personal computer running Windows, Mac And Linux.
pros:
- Absolutely free and free to distribute;
- Simple and convenient interface.
- Automatic password generation.
- There are desktop versions of the program for a variety of operating systems
Minuses:
- Outdated interface;
- There is no ability to work with bowsers.
Last pass
- Category: Job
- Developer: LastPass
- Version: 3.2.18
- Price: Free - Google Play
Last pass– one of the most convenient cloud managers for storing passwords. This service boasts a huge number of plugins for most popular browsers, including mobile ones. This manager can easily fill in your login and password on any website.
To a greater extent, the maximum functionality of the application can be achieved in the most popular mobile browser, Dolphin, for which several plugins have been created to make working with the service easier.
Almost all the main functions of the browser can be used absolutely free. I would like to note the possibility of installing this application on such OS as Windows Phone, BlackBerry, Symbian, Windows Mobile and even WebOS.
Application Last pass for Android you can download it absolutely free, but if you need to use the existing plugins, you need to buy a subscription for 1 dollar per month or 12 per year of use.
pros:
- User-friendly interface;
- Availability of Russian language;
- Storing all passwords in the cloud;
- Synchronization with desktop version.
Minuses:
- Using the mobile plugin is only for money;
- Small functionality of the application compared to its main competitors.
1Password Reader
- Category: Job
- Developer: AgileBits Inc
- Version: #1.8.5.2
- Price: Free - Google Play
1Password– if anyone doesn’t know, this application was at one time the most popular among all on the iOS platform. The developers quickly created an application for Android, but for unknown reasons the functionality was not much reduced than in the iOS version.
An application that can be downloaded for free from Google Play allows you to easily access information that has been added using a PC. We can use this data for our own purposes, but unfortunately, we do not have the ability to add new ones from a mobile device.
The application's interface is truly modest. But this application remains the only one that can easily work with the desktop version of the program 1Password.
pros:
- Full synchronization with the desktop version of the program.
Minuses:
- There is no ability to add new files;
- Inconvenient and low-functional interface.
- Category: Tools
- Developer: Alexey Zholdak
- Version: 1.22.9
- Price: Free - Google Play
- Pro version - Google Play
Bottom line:
Of all the above managers for storing passwords, I would like to mention the very first one, namely mSecure Password Manager, I liked it more in terms of design, and in terms of functionality it seemed the most practical. Yes, it is more expensive than all the other programs presented in the review, but if we are talking about confidential data, then you can’t skimp on trifles. In any case, the choice will always be yours, dear users.
An active Internet user is forced to enter a huge number of passwords - from social networks, email accounts, online stores, online games. For security purposes, it is recommended to come up with an original password for each new registration, because otherwise an attacker, having gained illegal access to one account, will be able to easily hack others. It’s difficult to remember a lot of different logins and passwords, and writing them down in a notepad is unsafe, so the best option to relieve memory is to use special programs for storing passwords. It is enough to remember just one master password to gain access to all the others.
Price: Free
LastPass is a well-known cloud service for storing passwords, developed by the company of the same name and available on computer operating systems Linux, Windows, OS X, in the Google Play, AppStore, Microsoft Store application stores, as well as in the form of plugins for major browsers, for example, Mozilla Firefox and Google Chrome. This program not only remembers identification data, but also manages it: helps the owner generate a new password, changes data if it notices a hacking attempt, analyzes the complexity and strength of passwords, and makes sure that passwords from two different accounts are not the same.
Among the key advantages of the program for saving passwords are: LastPass the following should be included:
- Two-factor authentication. Most sites only require you to enter a login and password - this authentication is called one-factor authentication. Two-factor requests additional data from the user (for example, PIN, phone number, fingerprints), which is a guarantee of increased security. Well-known portals Twitter, Amazon, Facebook, and, more recently, switched to two-factor authentication LastPass. Additional password protection is provided by Google Authenticator And YubiKey.
- Full and high-quality Russification.
- Wide functionality. After updating the interface LastPass in 2014, the service was supplemented with a number of useful additional functions. Now, using the application, the user can store documents, use tools for auto-filling online store forms, and monitor changes in credit history.
LastPass It is considered a free password saving program, however, to use the mobile versions you need to purchase a premium account, which costs $12.
1Password
Price: Free +
Users 1 Password note the ease of use and very friendly and pleasant interface as important advantages of the program. However, these are the advantages of a program for remembering passwords entered on a computer: 1 Password are not exhausted - there are others:
- Cross-platform. The program works on Windows, Mac OS, Android, iOS, and is also built into the most popular browsers like Opera and Firefox. However, such broad integration is more the norm for password managers than a distinctive feature.
- Synchronization. Through Dropbox And iCloud You can open access to your password storage to unauthorized users.
- Reliability. The database is protected by the AES-128 cipher, adopted as a standard by the US Government. Data leakage is prevented by built-in keylogger– a device that records user actions.
- Password generation. If it is necessary to create a new password, the password generation program does not simply produce a random set of numbers and letters, but generates a combination that corresponds to the parameters previously specified by the user. Such parameters are the number of characters, the presence of numbers, and even the pronunciation of the combination.
- Possibility of security audit. The program will check the database for duplicate and weak passwords.
1 Password has the highest rating among analogues in the AppStore (4 stars out of 5), however, this software is not without its shortcomings. Program 1 Password quite expensive - iPhone owners will have to part with 5 thousand rubles to install the full version. However, even after paying this money, the user will not be able to edit the database on a mobile device.
Dashlane
Price: Free
Password manager released in 2012 Dashlane immediately gained worldwide popularity thanks to its simple, high-quality interface, high security and the ability to automatically fill out forms on web pages. By 2016, several updates had occurred, and the program had acquired additional functions. How is it different? Dashlane?
- Two-factor authentication– a sign of the developers’ attentive attitude to the reliability of their brainchild.
- Purchase tracking and integration with electronic wallets simplify the process of shopping through online stores.
- Availability for any device. This program for saving passwords entered on a computer works with both desktop and mobile operating systems, and even has a plugin for Internet Explorer. Cloud synchronization of multiple devices on different platforms is possible, but only when purchasing the Pro version.
Basic application functions Dashlane are available for free, the full version will cost almost $40 per year. Despite this cost, Russification of the application has not yet been carried out - this is the main reason why Dashlane not as popular among domestic users as, say, LastPass.
RoboForm
Price: Free +
RoboForm– “pioneer” and “long-liver” among password managers. The development of this program began back in 1999, however, to this day the application continues to constantly improve and increase functionality. Those who believe that the use RoboForm Now, in the presence of many worthy competitors - a sign of unhealthy conservatism, they are mistaken, because the program can really offer the user a lot of unique advantages:
- Versatility. The fact that the password manager works with all major and current operating systems will not surprise anyone. However, how many programs are known that are supported on Symbian, Palm OS, BlackBerry OS and even Windows 2003 ? RoboForm – one of these.
- Mobility. Doesn't have to be installed RoboForm to your computer or gadget , to use it - thanks to the function RoboForm2 Go, the program can be installed on a flash drive and run on public computers.
- Reliability. Base RoboForm is encrypted using the AES-256 standard, which is traditionally used in banking.
- Ability to create multiple profiles. One program can be used by different people - individual information will be stored in each password-protected profile. This allows you to save money and purchase a paid version of the application “shared together”.
The manager can be downloaded for free, but then you won’t be able to store more than 10 logins/passwords. To store an unlimited amount of data, as well as cloud synchronization, you will need a version RoboForm Everywhere, which costs about $20 per year.
