Android IRC apps storage review

android_crossbonesI had the hypothesis that android IRC clients didn’t store credentials securely. Lets investigate…

To decide what to look into I simply searched for “IRC” on the play store. The idea was to test as many as possible. I ended up testing the top 9, they are as follows:

AndChat – 500,000+ Downloads
AndroIRC – 1,000,000+ Downloads
Hermes – 10,000+ Downloads
HoloIRC – 10,000+ Downloads
qicr IRC – 10,000+ Downloads
Rice IRC – 10,000+ Downloads
Simple IRC – 100,000+ Downloads
Tiny Tiny IRC – 10,000+ Downloads
Yaaic – 100,000+ Downloads

These were all downloaded today (12 Feb 2017) using the tool “Racoon“.

All of these apps were found to store user credentials in plaintext, some in a sqlite database, some in XML files stored in the “shared_prefs” folder.

Lets look at the apps:

AndChat

AndChat

Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.

AndroIRC

AndroIRC

Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.

Hermes

Hermes

Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.

HoloIRC

HoloIRC

Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.

qicrIRC

qicrIRC

Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.

Rice IRC

RiceIRC

Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.

Simple IRC

SimpleIRC

Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.

Tiny Tiny IRC

Tiny Tiny IRC

Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.

Yaaic

Yaaic

Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.

Conclusion

As an IRC enthusiast I was hoping at least one would encrypt my private data, however this was not found to be the case. All tested applications store user-data insecurely. The image below shows the search I performed along with the results. Being cheap I did not download the paid-for app. Any results that were not IRC clients have been removed.

Results

 

Leave a Reply