Passwords on a Phone
Almost all Android apps from major retailers store your password on the phone, which is dangerous and unnecessary. And they don't even use the Android KeyStore; they just use custom encryption schemes that generate a key in predictable ways, so passwords are easily recoverable. This is “fake encryption” – the data appears to be encrypted but in fact is not actually protected from attackers.
The Safeway app is typical: it encrypts passwords with AES, generating the key from other values that are stored on the phone. I notified Safeway of this in April, 2017, but they never fixed it.
I will present results of my tests of many top retailers, and demonstrate how to steal passwords from them. I will also list a few (very few) companies who actually protect their customers' passwords properly.
The purpose of this talk is to raise awareness of the poor quality of retail Android apps, and to encourage developers into improving their products.
- Not Interested