Where on Xiaomi stored passwords from applications: hidden folders, system databases and leakage risks

Have you ever wondered where the saved passwords from the apps went after you reset your Xiaomi phone? Or why, after flashing, some services log in automatically and others don't? MIUI (Even in the latest versions of Android 14, it uses multiple layers of credentials, from open text files to encrypted system containers, and if you think all passwords are in one place, you're wrong.

In this article, we will not just list the standard paths like /data/system/users/0, We will also be able to find out how Xiaomi (including Redmi and the Redmi). POCO) It processes passwords from Google accounts, social media, banking apps, and even gaming customers, and you'll learn what data can be extracted without root rights, where hackers search for passwords when they steal a phone, and why even a factory reset doesn't always erase critical information. How to protect your data from leakage if you sell or transfer a smartphone.

1. How Xiaomi Classifies Passwords: 3 Types of Storage

Before you look for passwords, you need to understand that Xiaomi divides them into three categories โ€“ and each is stored in its own way:

  • ๐Ÿ”‘ System credentials โ€“ passwords from Mi-account, Google, Wi-Fi and VPN. They are tied to firmware and encrypted with hardware keys (Keymaster).
  • ๐Ÿ“ฑ Application passwords โ€“ logins / passwords from VKontakte, Telegram, Tinkoff, etc. Stored either in plain form (if the application does not use Android Keystore), or in encrypted databases.
  • ๐Ÿ” Autocomplete and password managers โ€“ data from Google Smart Lock, Mi Browser or third-party managers like Google 1Password. It uses a separate encryption.

Key point: MIUI It doesn't store all passwords in one place, like an Instagram password saved through Google's autocomplete will be in one place, and the same password entered manually in the app will be in another place, and this is not a developer's whim, but a security measure: If an attacker gains access to one base, he can't pull out the rest.

But there's a downside: data fragmentation makes it harder to control, so if you delete an application, its password can stay in the autocomplete cache or backup of Mi Cloud, and when you transfer your phone to another person, those residues can become a vulnerability.

๐Ÿ“Š How You Usually Save Passwords on Xiaomi?
Using Google Smart Lock
Trust the built-in manager MIUI
Stored in a third-party application (KeePass, 1Password etc.)
I remember by hand, I don't save.
I don't know where they're stored.

2. Standard ways of storing passwords (without root)

If you do not have a superuser (root) right, only data that:

  1. Stored in open user folders.
  2. Available through API Android (e.g. Google Smart Lock).
  3. Saved in backups (local or Mi Cloud).

Here are the key locations that can be checked without special tools:

Type of dataPath or method of accessWhat's in there?Do you need root rights?
Google AutocompleteSettings โ†’ Google โ†’ Account Management โ†’ Security โ†’ PasswordsPasswords saved through Smart Lock (sites, some apps)No.
Local backups/sdcard/MIUI/backup/AllBackup/Encrypted application backups (including some passwords)No, but we need a decoding.
Cash Mi Browser./sdcard/Android/data/com.android.browser/ or com.miui.browser/Saved logins/passwords for websites (if you do not use synchronization)No.
Wi-Fi configuration files/data/misc/wifi/WifiConfigStore.xml (root-only)Passwords from Wi-Fi networks (in encrypted form)Yes.

โš ๏ธ Note: Even if you find files with passwords in folders /sdcard/, They can be encrypted. MIUI It's protected by a key attached to your Mi Account, and you can't recover it without it, because it's designed to prevent theft of information when you lose your phone.

The easiest way to view saved passwords is to use built-in tools:

  1. Open the Settings. โ†’ Passwords and security โ†’ Passwords (on) MIUI 14).
  2. If you use Google Smart Lock, check passwords.google.com in your browser.
  3. For Mi Browser: Go to the menu โ†’ Settings โ†’ Confidentiality โ†’ Saved passwords.

๐Ÿ’ก

If you sell a phone, turn off password sync in your Mi Account and Google before reset, otherwise new owners can access your data through the cloud.

3. Where root access passwords are stored: system folders and databases

If you have root rights (or use custom recovery like this) TWRP), You can access system folders where Android and MIUI They store critical data:

  • ๐Ÿ“ /data/data/com.android.providers.settings/databases/settings.db โ€” Authorization tokens and some credentials may be stored here.
  • ๐Ÿ”’ /data/system/users/0/ โ€” folder with encrypted keys for Wi-Fi, VPN and other system services.
  • ๐Ÿ“ฑ /data/data/[package_name]/ โ€” For each application (for example, com.vk.android for VKontakte) there is a folder with a database (databases/) and settings (shared_prefs/).
  • ๐Ÿ—๏ธ /data/misc/keystore/ โ€” Keymaster, where encrypted passwords from banking applications and payment systems lie.

โš ๏ธ Note: Direct editing of files in /data/data/ It can lead to the collapse of applications or lock the account (for example, if you change the tokens of VKontakte or Telegram).In addition, many modern applications (especially banking) use White-Box Cryptography - even with root, it is almost impossible to decrypt their data without knowing the algorithm.

Example: To view Wi-Fi passwords, you need to:

  1. Open the file /data/misc/wifi/WifiConfigStore.xml (Root Explorer is required or ADB).
  2. Find a line <string name="ConfigKey">[SSID]</string>.
  3. Copy the encrypted password in the PreSharedKey field.
  4. Decrypt it with the help of the utility wpa_supplicant (I need a key from Keystore).

For most users, this process is too complicated โ€” and that's a good thing. The harder it is to access passwords, the safer your data is. But hackers use automated scripts that go through known paths and try to extract information even without rooting (for example, through vulnerabilities in the Internet). MIUI).

Check the version. MIUI (Some ways are changing)

Create a backup copy /data/

Turn off the internet (to keep security triggers from going off)

Use only proven tools (Root Browser, SQL Editor)-->

Not all applications are equally secure, such as:

  • ๐Ÿ’ฐ Banking applications (SberBank, Tinkoff, Alpha-Click) โ€“ use Android Keystore + Passwords are not stored in plain form, but can remain in cache after release.
  • ๐Ÿ“ง Social networks (Vkontakte, Instagram, Telegram) โ€“ often save access tokens in the Internet shared_prefs, This is a long time (even if you change your password).
  • ๐ŸŽฎ Gaming clients (Genshin Impact, Honkai: Star Rail) โ€“ can store data for autologins in the public domain JSON-file.
  • ๐ŸŒ Browser (Mi Browser, Chrome, Firefox) โ€“ passwords are encrypted, but the keys are stored in the system (they can be extracted from root).

Consider the example of Telegram:

  1. The Data Path: /data/data/org.telegram.messenger/.
  2. File with settings: shared_prefs/org.telegram.messenger_config.xml.
  3. It can be stored here: ๐Ÿ”‘ lastKnownProxy โ€“ Proxy data. ๐Ÿ“ฑ LastLocalKey โ€“ Local Encryption Key. ๐Ÿ”„ pushString โ€“ a token for push notifications (can be used to restore a session).

โš ๏ธ Note: Even if you delete Telegram and re-install it, the app can automatically log into your account via a saved token, which is convenient but dangerous: if your phone is stolen, an attacker will gain access to your correspondence without entering a password.

Here is how things are with banking applications (on the example of Sberbank Online):

  • ๐Ÿ”’ The password from the application is stored in the Android Keystore and is not extracted even from root.
  • ๐Ÿ“ฑ However, in /data/data/ru.sberbankmobile/ Can stay: Cache data on recent transactions, analytics logs (unless the sending of statistics is disabled), push notification tokens (they can be used for phishing).

Most banking applications tie the session to the unique characteristics of the device (IMEI, MAC-If you change your phone, you have to confirm your login via SMS or biometrics, which is a protection against cloning your account.

5.Leakage risks: Who and how could steal your Xiaomi passwords

Even if you don't share your phone with outsiders, your passwords could fall into the wrong hands.

  • ๐Ÿ“ฒ Theft/Loss of Phone โ€“ No PIN-The attacker will not gain access to the data, but may:
  • ๐Ÿ”„ Transferring the phone to another user โ€“ even after resetting, the settings may remain:
  • ๐Ÿฆ  Malware: Trojans like Anubis or Cerberus can be used to:

๐Ÿ“Œ The real case: In 2022 Researchers at Check Point have discovered a vulnerability in the MIUI, Retrieving passwords from Google and Xiaomi accounts ADB, Even if debugging is disabled, the problem affected Android devices. 10-12 and was corrected only in MIUI 13.0.4. If you have old firmware, the risk of data theft is higher.

How do you defend yourself?

  1. Turn off Settings. โ†’ Additionally. โ†’ For developers โ†’ Debugging by USB.
  2. Set a complex pattern lock (at least 8 points) or PIN (at least 6 digits).
  3. Turn on the settings. โ†’ Passwords and security โ†’ Blocking applications for banking services.
  4. Check your active sessions regularly on your Mi Account and Google.
How to cheat with clean phones on Avito
Many sellers reset Xiaomi to factory settings but do not delete the tied Mi Account.The buyer gets a phone with a "clean" system, but a week later finds that the former owner can: - Remotely lock the device through Find Device. - Restore their data from Mi Cloud. - Receive notifications of new SIM-Always check if your Mi Account is untied, via ##6484## or in your account settings.

6.How to completely delete passwords before selling a phone

Factory reset (Settings) โ†’ The phone. โ†’ Setting resets don't always erase all data. Here's what you need to do before you hand over your phone:

Untie the Mi Account (#6484## โ†’ Remove Account)

Delete your Google account (Settings) โ†’ Accounts)

Turn off password sync (Google Smart Lock and Mi Cloud)

Reset via Fastboot (if there is a root or bootloader unlocked)

Format internal memory after resetting-->

If you have a bootloader unlocked, the most reliable way is to reset via Fastboot:

fastboot erase userdata


fastboot erase cache




fastboot flash userdata userdata.img




fastboot reboot

This will completely re-write the section with user data, including:

  • ๐Ÿ“ File residues in /data/.
  • ๐Ÿ”‘ Cash Android Keystore.
  • ๐Ÿ“ฑ Application settings (shared_prefs).

โš ๏ธ Note: If you sell a phone with a locked bootloader, the new owner will not be able to unlock it during the period of time. 7-30 days (Xiaomi restriction) Clarify this in the ad to avoid claims.

For devices with MIUI 14 And there's another caveat: after a reset, the system can store encrypted copies of some data in the partition. /metadata. To remove them, you need to:

  1. Go in. TWRP (if established).
  2. Select Wipe โ†’ Format Data (this will delete everything, including internal memory!).
  3. Reboot and set up the phone as new.

If you are not sure about your actions, it is better to take the phone to the Xiaomi service center and ask for a โ€œcomplete cleaningโ€ before selling. 500-1000 rupees, but will save you from the risks.

7. Alternative ways to manage passwords on Xiaomi

Instead of relying on MIUI's built-in password storage, consider these safer alternatives:

  • ๐Ÿ” Third-party password managers:
  • ๐Ÿ“ฑ Hardware tokens:
  • ๐ŸŒ Cloud solutions with zero knowledge:

๐Ÿ“Œ Why itโ€™s better than built-in storage MIUI?

  1. Data is encrypted before being sent to the cloud (unlike Mi Cloud, where encryption can be managed by Xiaomi servers).
  2. Password managers allow you to revoke access to the device remotely (for example, if the phone is stolen).
  3. Support for Multifactor Authentication (MFA) critical-service.

โš ๏ธ Note: If you use Google Smart Lock, remember that passwords sync with your Google account.This is convenient, but means that you can use your Google Smart Lock:

  • Google employees can technically access your data (at the request of law enforcement agencies).
  • When a Google account is compromised, the attacker will receive all the saved passwords.
  • Some apps (such as banking) block autocomplete from Smart Lock for security reasons.

๐Ÿ’ก

No way to store passwords is 100% secure, and the best strategy is to combine a local manager (like KeePass) + hardware key (YubiKey) + regular-rotation.

FAQ: Frequent questions about passwords on Xiaomi

๐Ÿ” Can I see passwords from apps without root?
Yes, but only those saved through Google Smart Lock or built-in manager MIUI. For this: Open the Settings โ†’ Passwords and security โ†’ Passwords. Or go to passwords.google.com (if you use Google), passwords that are entered directly into apps (like VK or SberBank) cannot be seen without root.
๐Ÿ”„ What to do if the previous owner can see my data after resetting the phone?
This means that: The phone was not completely reset (for example, via Fastboot).The previous owner did not untie his Mi Account or Google. /sdcard/MIUI/backup/. Solution: Check the linked accounts through ##6484##. Delete all data in Settings โ†’ Memory. โ†’ Cleanup. If there's a problem, go to the service center for a full flashing.
๐Ÿ”’ How to Protect Your Passwords When Your Phone is Stolen?
Do this immediately: Lock your phone from Find Device (for Mi Account) or Find My Device (for Google); change passwords from critical services (banks, social networks, mail); revoke your Mi-account and Google apps. USB Debugging, assume that the data is compromised and act accordingly. If the phone has been unlocked (for example, through a vulnerability), it is better to consider all passwords compromised and reset them.
๐Ÿ“ฑ Why After Updating MIUI missing the saved passwords?
This can happen for several reasons: The update reset Google Smart Lock settings (often when you upgrade to a new version of Android). MIUI Changed the structure of password storage (for example, in the MIUI 14 stopped supporting old backups. Mi Cloud crashed (check sync in account settings). To recover passwords: Check Settings โ†’ Google โ†’ Account management โ†’ Security โ†’ Passwords. Log in to Mi Cloud and see if there are any backups. If passwords are gone, you'll have to restore them through the "Forgot Password?" feature in every service.
๐Ÿ”‘ Can you transfer passwords from one Xiaomi to another?
Yes, there are several ways: Through Google Smart Lock: Enable password sync in your Google account. On a new phone, log in to the same account - passwords will be pulled up automatically. Through Mi Cloud: Back up on your old phone (Settings) โ†’ The phone. โ†’ Backup. Restore it on a new device. Through a third-party manager: Export passwords from the new device. Bitwarden/KeePass Import them on your new phone. โš ๏ธ Important: When transferring via Mi Cloud, make sure the new phone has the same version MIUI. Otherwise, compatibility errors may occur.