Evernote: XOR & Passwords

Update: Evernote has reported that this issue has been addressed.

Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials.

/data/data/com.evernote/shared_prefs/com.evernote_preferences.xml

The username in located in the <string name="username"> element, and the password is stored in <string name="encrypted_password"> – from the name you’d assume that the password is actually encrypted. You’d be wrong.

The password is simply XORed with the username, making recovery simple.

Here’s a simple script to “decrypt” the password: