General information
As The Andro Nerd pointed out in his answer, most apps store passwords (and other sensitive information) encrypted. Some even don't store them at all (they use a kind of "tokens", as is available with most Google apps -- or they don't store anything like that).
Unfortunately, only most apps seem to care this way. Some store everything plain text (the stock email app on some HTC devices is known for that, for example: Storing passwords and even directory information plain text for Exchange services. Sources for this allegation can be found in the book mentioned below).
Which apps are safe?
It's hard to really know which apps are save, though some services help you figure it out -- see e.g. ViaForensic's AppWatchdog, where they thoroughly investigate apps for things like that (but with limited ressources are far from covering everything). Some security blogs inform about found issues as well -- and if some well-known app is affected by such a security hole (as e.g. mentioned email app, or Skype), all the blogs in the world will spread word.
How to check it on your own
Knowing the structures how data are saved, you could investigate yourself (if your device is rooted, that is). Andrew Hoog's book Android Forensics and Mobile Security is one good source teaching you how to do that:
Apps store their data below the /data/data
, in a directory with the apps package name as name (for skype, this would be /data/data/com.skype.merlin_mecha/
). By default, that directory is accessible by the app alone (and, of course, by root) -- which is why it requires root privileges to dig deeper. The basic structure below is as follows:
/data/data/com.example.demoapp xe2x94x9cxe2x94x80xe2x94x80 cache Directory xe2x94x82 xe2x94x94xe2x94x80xe2x94x80 webviewCache Directory xe2x94x82 xe2x94x9cxe2x94x80xe2x94x80 027e59a0 Cache file xe2x94x82 xe2x94x94xe2x94x80xe2x94x80 057606c4 Cache file xe2x94x9cxe2x94x80xe2x94x80 databases Directory xe2x94x82 xe2x94x94xe2x94x80xe2x94x80 example.db SQLite database xe2x94x9cxe2x94x80xe2x94x80 lib Directory xe2x94x94xe2x94x80xe2x94x80 shared_prefs Directory xe2x94x94xe2x94x80xe2x94x80 example.xml Config file
Obviously, there are two major places to check:
- the
shared_prefs
directory, containing XML files. As those are plain-text, they should be easy to investigate. - the
databases
directory. Database files are usually in the SQLite standard, so you can investigate them with either an SQLite command line client, or with a graphical frontend like SQLiteMan.
A thorough information on this topic would go too far here -- but you got the idea, I hope.
Conclusion
I wouldn't be that much concerned with Samsungs official service (though "bad guys" could sit everywhere -- but one should not go paranoid about it. But of course it is a generally good idea to be careful of which apps one uses. Too late for your current case, might be -- but there's always a tomorrow.