Android's internal storage provides a mechanism for storing data in a way that's not accessible to other apps. It is therefore used to store secret information such as passwords without encryption.
Palo Alto Networks researcher Claud Xiao has found a way of accessing this data via the backup/restore function of Android Debug Bridge (ADB).
He points out that Android puts several hurdles in the way of an attacker trying to exploit ADB, but says "all of them can be bypassed under the right conditions, leaving the data in internal storage exposed."
Mr Xiao points out that many of the protections have only arrived in recent versions of Android. For example, ADB backup is blocked by locking the screen, but vulnerabilities in versions prior to 4.4.4 allow an attacker to circumvent that protection.
His advice is that developers should have their apps opt-out of the ADB backup system (the default is that data in internal storage is backed up, and very few apps override that), or that Google should change the default setting.
He suggests users disable ADB debugging whenever it is not needed (it's usually - but not always - off by default, and it seems there are ways of enabling it externally), always keep up with Android patches, and enable screen lock.