A recent study found Android OS password managers may not be as secure as their desktop counterparts.
Part of the vulnerability is the result of the password manager identifying the website through its domain name, and it then suggesting, or in some cases automatically filling in, the proper credentials on behalf of the user leaving users prone to phishing attacks, according to a recent researcher paper, Phishing Attacks on Modern Android.
“It is interesting to note how, on the web, password managers do not ease phishing attacks, but quite the opposite,” researchers said in the report. “In fact, web password managers check the current website domain name to determine whether to auto-fill (or auto-suggest) credentials: If the domain name does not match the expectations, no credentials are suggested.”
Researchers argue that the mobile password manager may add legitimacy to a malicious attack by suggesting a password for an otherwise malicious domain by only using the app package name, which can mimic legitimate apps, as the main abstraction to identify an app.
In order to solve this researchers suggested that the apps map package names to associate them with websites instead. Researchers noted that despite existing solutions that are capable of doing this, poor design choices of the underlying mechanisms push to the implementation of vulnerable solutions.
Researchers examined Keeper, Dashline, LastPass, One Password and Google Smart Lock (GSL) and found that only GSL is securely implemented and all of the managers implement various vulnerable heuristics which misplaces trust in an app package name or other metadata that can be spoofed.
“The net result is that it is possible for a malicious app to systematically lure these password managers to leak credentials associated with arbitrary attacker-chosen websites,” researchers said in the paper. “To make it worse, we note that these attacks also work for websites for which an associated mobile app does not exist.”
Ultimately, researchers said that mobile password managers suggesting credentials without properly verifying the sites have the potential to add credibility to malicious attacks.
Keeper responded to the findings and said that the language of the suggestion popup has been modified to be more descriptive and have also added a popup message to their legacy KeeperFill scenario which is being deprecated when the Autofill API is fully supported across all apps and web browsers beginning with Android P.
“We have published this change in Keeper for Android version 12.1.1, which was released in July 2018 as part of our monthly application update, along with other planned improvements,” Keeper researchers said in a Sept. 26 security update. “As always, we recommend checking the authenticity of the applications you are installing. If you suspect an application is malicious or fake, please report it to Google at this link.”