I had the hypothesis that android IRC clients didn’t store credentials securely. Lets investigate…
To decide what to look into I simply searched for “IRC” on the play store. The idea was to test as many as possible. I ended up testing the top 9, they are as follows:
AndChat – 500,000+ Downloads
AndroIRC – 1,000,000+ Downloads
Hermes – 10,000+ Downloads
HoloIRC – 10,000+ Downloads
qicr IRC – 10,000+ Downloads
Rice IRC – 10,000+ Downloads
Simple IRC – 100,000+ Downloads
Tiny Tiny IRC – 10,000+ Downloads
Yaaic – 100,000+ Downloads
These were all downloaded today (12 Feb 2017) using the tool “Racoon“.
All of these apps were found to store user credentials in plaintext, some in a sqlite database, some in XML files stored in the “shared_prefs” folder.
Lets look at the apps:
AndChat
Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.
AndroIRC
Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.
Hermes
Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.
HoloIRC
Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.
qicrIRC
Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.
Rice IRC
Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.
Simple IRC
Credentials for this application are stored in plaintext with the owner, group and public having permissions to read the file. This file is created with the user and group as “root”.
Tiny Tiny IRC
Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.
Yaaic
Credentials for this application are stored in plaintext with the owner and group having permissions to read the file.
Conclusion
As an IRC enthusiast I was hoping at least one would encrypt my private data, however this was not found to be the case. All tested applications store user-data insecurely. The image below shows the search I performed along with the results. Being cheap I did not download the paid-for app. Any results that were not IRC clients have been removed.