SIK-2016-027


Title:

F-Secure KEY Password Manager Insecure Credential Storage

Report ID

SIK-2016-027

Summary:

  • Vendor: F-Secure Corporation
  • Product: F-Secure KEY Password Manager
  • Affected Version: Platform build version name 6.0-2704002, 4.2.8
  • Severity: medium
  • Short summary: The master password of this password manager is stored in plain text in the local app folder.

Details:

This vulnerability effectively renders the encryption of the password database useless. The Android app “F-Secure KEY Password manager” with version “4.2.8” stores the master password in plain text inside the file /data/data/com.fsecure.key/shared_prefs/KeyStorage.xml.
A basic outline of the file is as follows:

<map> <string name="user_guide">seen</string>
<string name="master_password">masterpass</string> </map>

The master password is stored on the device irrespective of the choice, not to save it on the device.

If an attacker gains access to the device with elevated privileges, like root, the master password can be easily accessed. The master password can be used to unlock all saved passwords and thus makes the stored passwords accessible to the attacker. This situation can arise when a stolen/lost phone can be exploited with a vulnerability to get elevated privileges. Storing the master password in plain text thus defeats the whole purpose of a password manager, which is to keep the keys safe even when facing an attack.

Workaround

Users should secure their device using a strong unlocking PIN and should never root their devices.

Suggested Mitigation

If the user chooses to save the master password on the device to avoid typing the password every time, use the Android Keystore for storing the key.
It is not a good idea to save the master password or any derivations in plain text on the device.

Timeline

  • 2016-08-18: Vulnerability Reported.
  • 2016-09-07: Vulnerability Fixed.