Hi Pandit,
Here are the answers inline,
> 1) Does AccountManager store account information and in
> particular credentials in a plain text or it encrypts the information
> in the storage?
[SK]No. AccountManager has no security currently. It stores
credentials simply in plaintext.
>
> 2) What kind of credentials are stored in the credential
> storage (under setting there is a setting for setting up password for
> this storage)?
[SK]Your account credentials, gmail/exchange etc.
>
> 3) How does the password is used to protect the credential
> storage (uses to derive key and encrypt the storage or ...) ?
Credential storage is totally different thing. It is based on master
key encryption and used mainly to secure certificates.
> 4) Does AccountManager's storage uses the credential storage
> with the password protected?
No.
On Dec 13, 10:53 pm, Chris Palmer <[email protected]> wrote:
> Well, it is an open source operating system. Let's find out.
>
> ~/android/frameworks ; find . -iname '*account*manager*'
> ./base/docs/html/sdk/api_diff/8/changes/android.accounts.AccountManager.html
> ./base/core/java/android/accounts/IAccountManager.aidl
> ./base/core/java/android/accounts/IAccountManagerResponse.aidl
> ./base/core/java/android/accounts/AccountManagerCallback.java
> ./base/core/java/android/accounts/AccountManagerResponse.java
> ./base/core/java/android/accounts/AccountManager.java
> ./base/core/java/android/accounts/AccountManagerService.java
> ./base/core/java/android/accounts/AccountManagerFuture.java
> ./base/core/tests/coretests/src/android/accounts/AccountManagerServiceTest.java
>
> Surely, the Service provides the backend?
>
> ~/android/frameworks ; vim -R
> base/core/java/android/accounts/AccountManagerService.java
>
> ... Yep. Check out the method addAccount, which calls
> insertAccountIntoDatabase.
>
> Well, maybe there is more to the story. I've only spent 4 minutes
> looking into this. But this is suggestive:
>
> ~/android/frameworks/base/core/java/android/accounts ; grep -i crypt *
> ~/android/frameworks/base/core/java/android/accounts ;
>
> Let us know what you find...
>
> On Fri, Dec 10, 2010 at 4:53 AM, Pandit <[email protected]> wrote:
> > Hello,
>
> > I hope to get some clarification about AccountManager's storage
> > and credential storage.
>
> > 1) Does AccountManager store account information and in
> > particular credentials in a plain text or it encrypts the information
> > in the storage?
>
> > 2) What kind of credentials are stored in the credential
> > storage (under setting there is a setting for setting up password for
> > this storage)?
>
> > 3) How does the password is used to protect the credential
> > storage (uses to derive key and encrypt the storage or ...) ?
>
> > 4) Does AccountManager's storage uses the credential storage
> > with the password protected?
>
> > Thank you,
> > - Pandit
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Android Security Discussions" group.
> > To post to this group, send email to
> > [email protected].
> > To unsubscribe from this group, send email to
> > [email protected].
> > For more options, visit this group
> > athttp://groups.google.com/group/android-security-discuss?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
