Security Issue - On Roblox Mobile iOS, passwords are stored in plain text

Specifically in:
[RobloxMobile]/Library/Preferences/com.roblox.robloxmobile.plist

There is a string value in that plist file called “password”, which obviously has your password stored, in plain text, unencrypted. Not only that, if you have remember me turned off, it’s still saved anyway, in plain text, too.

This is VERY VERY BAD. Any Mac or PC will be able to download that plist file from your iOS device and see your password, even if the device is locked with a passcode (As long as it trusts the computer because you’ve plugged it in before and hit “trust” on your device, it can find your password). This means you could download a nasty piece of malware which downloads the plist file and sends your password off somewhere else. All this can happen without you even knowing.

If you backup your iOS device to iTunes, even over Wi-Fi, it is possible an application can fetch your password out of the backups.

This might also be the case with the new Roblox Mobile Android app, but I don’t know for sure. (Edit: PlusSean says it is also stored in plain text on Android, but it’s only accessible by root)

Simple ways to protect yourself:
[ul]
[li]Avoid downloading risky things from the internet. It’s that simple.[/li]
[li]Enable iTunes’s backup encryption, and choose a good password to encrypt the backups to keep your data safe. It adds another layer of protection of all your data, not just roblox mobile.

[/li]
[li]Download an iOS file editor like iFunBox or iExplorer, open up the files for Roblox Mobile, and delete /Library/Preferences/com.roblox.robloxmobile.plist from it (Jailbreakers, you can also open iFile and remove /var/mobile/Applications/[find roblox mobile’s ID]/Library/Preferences/com.roblox.robloxmobile.plist)

[/li]
[li]Avoid logging in with your main account on Roblox Mobile. You should remove the plist first, and use a different account you wouldn’t care if it was gotten in to, or you can play as a guest and be completely safe.[/li]
[/ul]

Edit: Added images, fixed file path

The password is also stored in plaintext in Roblox for Android.
However, it is stored under /data/data/com.roblox.roblox_client/shared_prefs/prefs.xml which is only accessible with root permissions.

Thanks for the report. I walked over and talked to one of the iOS developers and he’s investigating right now.

In the future, it might be a good idea to place your sensitive bug reports inside confidential tags so that only administrators can view them.

I edited the subject on the top post. We appreciate people bringing serious things to our attention. However, calling things fail (in this case), or dumb weak stupid broken etc (in posts by others) just makes our engineers feel bad. They work really hard, and using hyperbole to call out our shortcomings takes the focus away from the bug or issue report and puts it on our engineering. Obviously we want to create the best product possible, and keep accounts secure, so thanks for pointing this out.

[quote] Thanks for the report. I walked over and talked to one of the iOS developers and he’s investigating right now.

In the future, it might be a good idea to place your sensitive bug reports inside confidential tags so that only administrators can view them. [/quote]

Thanks for the quick reply!

Also I didn’t notice there was a confidential tag. And it would be good for everyone to know that their passwords are easily accessible, so we can all take care of it and protect our passwords until a fix is implemented. Hopefully we’re able to trust other roblox developer members with this information

Alright, that’s fine. Thank you. I didn’t intend it to make anyone feel bad.

Edit: is it OK if I make the title “Security Issue - On Roblox Mobile iOS, passwords are stored in plain text”?

Does logging in with another account overwrite a previously entered password?

Our engineer who goes by androidtest on ROBLOX and these forums says the following:

If you uncheck “remember password” you get exactly the desired behavior: You are kept logged in as long as your ROBLOX cookie remains valid and have to log in again after that.

In essence this bug report says that “when you click remember password the app remembers your password.” We can (and will) obfuscate the password, however any determined attacker will easily be able to scan the decryped/descrambled password out of memory.

In fact, I don’t even like apps that “encrypt” a remembered password for the app somehow. It’s just a feel-good measure for people who have some sort of aversion to ever seeing their password out in the clear, and doesn’t actually stop the password from being stolen. I would rather we didn’t do it.

[quote] Our engineer who goes by androidtest on ROBLOX and these forums says the following:

If you uncheck “remember password” you get exactly the desired behavior: You are kept logged in as long as your ROBLOX cookie remains valid and have to log in again after that.

In essence this bug report says that “when you click remember password the app remembers your password.” We can (and will) obfuscate the password, however any determined attacker will easily be able to scan the decryped/descrambled password out of memory. [/quote]

Because of code signing, sandboxing, and other iOS security features, it would be next to impossible to fetch out of memory, unless you are jailbroken and install a malicious extension. With Android, snatching the password from memory I’m sure would be much easier. (Especially if its rooted)

Of course encryption won’t make it 100% impossible to decrypt the password. I’m just saying it should never be shown without any encryption at all. Also, it should never store the password in that plist if remember me is unchecked. When you uncheck Remember Me, most people will assume that means it will not be stored.

“Of course encryption won’t make it 100% impossible to decrypt the password.”

Not only will it not be 100% impossible, it will only make it trivially more difficult to steal the passwords. The bottom line is that if you use the “remember password” feature, and someone has physical access to your device, then they can steal the password off of it, there’s no getting away from that no matter what “encryption” you might throw into the mix.

“Also, it should never store the password in that plist if remember me is unchecked.”

If anything this is the legitimate issue here (I don’t know whether it actually is, I don’t know what the “right” place to store saved passwords on IOS), not the fact that the password is saved in the clear.

[quote=“Ryan”]With Android, snatching the password from memory I’m sure would be much easier. (Especially if its rooted)[/quote] Of course it’ll be easier to get it out of memory if it’s rooted, it’s impossible to get it from memory without superuser access.

[quote] “Of course encryption won’t make it 100% impossible to decrypt the password.”

Not only will it not be 100% impossible, it will only make it trivially more difficult to steal the passwords. The bottom line is that if you use the “remember password” feature, and someone has physical access to your device, then they can steal the password off of it, there’s no getting away from that no matter what “encryption” you might throw into the mix.

“Also, it should never store the password in that plist if remember me is unchecked.”

If anything this is the legitimate issue here (I don’t know whether it actually is, I don’t know what the “right” place to store saved passwords on IOS), not the fact that the password is saved in the clear. [/quote]

The correct place is to store passwords in the keychain.