We enter a lot of passwords into smartphones nowadays. Social networks, emails, even bank accounts, they are all in there. There’s an understanding with anything stored digitally that there’s no such thing as “completely secure”, but there’s also an expectation that risks are being minimized by all of the parties involved. With theSamsung Galaxy S3, easily the most popular Android smartphone on the market right now, this may not be the case. Recently it has been discovered that Samsung’s own S-Memo app is storing passwords in plain text, which means anyone who knows where the file is stored and has access to the file can read it.

When you have a rooted Android phone, it’s widely understood that all bets are off as far as vulnerabilities are concerned. Just like in desktop Linux, super user access means you can break whatever you want, and the OS will do very little to stop you. With Android phones, it means you now have access to every file on the device. The S-Memo SQLite files are only accessible to those with root access, but once you have access to the file you can pull whatever you want from them. This includes your Google Account password, which you surrendered to S-Memo when you logged in to your Galaxy S3. Instead of protecting that password by encrypting it, the password can simply be copied and pasted for use on anything.

The volume of people this affects immediately is fairly small, but it exposes a vulnerability that could be used to grant a malicious user access to your Google Account. On an Android phone, that’s not far from being your entire digital existence. While rooting a Samsung Galaxy S3 only takes about five minutes, the software tools required are uncommon enough that as long as your phone isn’t already rooted you likely don’t have anything to worry about.

Given the severity of the discovery, I would expect Samsung to respond quickly and update the S-Memo app to hash or encrypt the passwords in S-Memo.