October 16, 2012
I’ve been playing around with some Android exploitation lately, and I wanted to clarify the risks associated with storing domain credentials anywhere on a mobile device. Obviously, gaining access to your email or calendar could expose some sensitive information, or could allow for password resets via email or some social engineering, but I feel like the real risk lay elsewhere. Most mobile devices when associated with an Exchange server will store credentials in cleartext. This means that any malicious attacker who can get root access to your phone can gain access to your domain credentials. The risk this presents is dependent on your organization, but if your organization has any external resources accessible via RDP or uses AD authentication on the VPN, an attacker can just hop right into your environment. This is true on Android and iOS for sure; to prove it to you, my technical paper has practical guidelines on how to extract credentials from a mobile phone. Check it out!