14 DAY TRIAL // A simple way to access the database with the sensitive information stored by RoboForm for Android has been presented in a two-minute video on YouTube.
IT consultant Paul Moore managed to fool the application into believing there was no need for a security check in order to provide access to the private data.
By default, RoboForm’s database entries are protected by a master password, which, in most other apps, is the only thing standing between the user and the decrypted content of the database.
However, in the Android version of RoboForm, there is the alternative of a PIN code, which is a string of multiple numeric characters.
Moore discovered that if access to the RoboForm database is granted based on a user-defined PIN, the authentication process can be bypassed by deleting a specific line in the preferences file of the app.
The line is “pref_pincode,” and no protective measures are in effect to prevent accessing it. Removing it from the preferences file and saving the modifications allows viewing the entries in the database without requiring the master password.
The entire demonstration is about two minutes long, and the level of complexity for achieving success is minimum:
According to The Register, as a result of Moore's findings, RoboForm said that they would re-assess the way the master password was stored on mobile devices and make its availability a requirement after a reboot “even if the user chooses the option to set the Master Password to 'Off'.”
“This way, if a phone is lost and a third party tries to access RoboForm either by guessing the PIN or bypassing the PIN function, the third party would still be required to know the Master Password,” a RoboForm representative told them.