Researchers have discovered that several leading Android-based password managers can be fooled into entering login credentials into fake phishing apps.
Password managers can be used to create, store, enter and autofill passwords into apps and websites. As well as allowing users to maintain scores of strong passwords, password managers can also provide some defence against phishing – their autofill features will enter passwords on sites they’re associated (and their mobile apps), but not on fakes.
The University of Genoa and EUROCOM’s Phishing Attacks on Modern Android study explores the difference between accessing a service through its mobile app and accessing it through its website on a desktop browser.
With desktop browsers, when a site is visited for the first time the password manager creates an association between its domain (verified by its digital certificate) and the credentials used to access it.
However, when somebody uses the website credentials to log in to an app, the process of verifying the app is more complicated and potentially less secure.
The main way password managers tell good apps from bad apps is by associating the website domain for that app with the app package name, a metadata ID checked using static or heuristically-generated associations.
The flaw is that package names can be spoofed – all the attacker has to do is create a fake app with the correct package name and the password manager will trust it enough to present the correct credentials.
The researchers found that several popular password managers were vulnerable to this kind of mapping weakness – LastPass, 1Password, Dashlane, and Keeper – with only Google Smart Lock (which isn’t primarily a password manager) able to resist.
Instant trouble
Even Google’s recently introduced Instant Apps – designed to be tried without the need for a download – could be abused by a phishing website to trigger a password manager autofill, the team discovered during testing.
This is particularly dangerous because it means it might be possible to execute a phishing attack without the need to install a fake app spoofing a package name (something Google Play doesn’t allow).
Write the researchers:
We believe this attack strategy significantly lowers the bar, with respect to all known phishing attacks on the web and mobile devices: to the best of our knowledge, this is the first attack that does not assume a malicious app already installed on the phone.
What can be done?
The problem is that the way password managers understand mapping legitimate domains to apps on Android is governed by three standards – the Accessibility Service (a11y); the Autofill Framework (Oreo 8.0 onwards); or using OpenYOLO, a separate Google-Dashlane collaboration.
The first of these, a11y, was designed for people with disabilities and ended up being used by malicious apps to abuse administrator rights, which led Google to implement Autofill Framework, and Dashlane to OpenYOLO. Unfortunately, all three standards are vulnerable to manipulation of package names, which suggests fixing this problem won’t be easy.
The researchers’ solution is a new getVerifiedDomainNames() API that dispenses with package names in favour of checking a hardcoded association between a website domain (and subdomains) and the app connecting to it.
The drawback of this is that websites would need to start publishing an assets file containing this data, something the researchers discovered barely 2% of more than 8,000 sample domains currently bother to do.
For now, this leaves password managers to fall back on their own defences. LastPass, for one, told Naked Security that it did not believe that the weakness had led to any of its customers being compromised:
Our app now requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimise the risk of any fake apps being filled/accepted.
Naked Security believes that using a password manager is still one of simplest and most effective computer security steps you can take, and closer integration with mobile apps makes using a password manager easier.
You are much more likely to be burned by password reuse than by an autofill attack on a fake app. However, if you are concerned about this kind of attack, or similar attacks that exploit autofill features using hidden password fields, don’t abandon your password manager, just turn autofill off.
Ed Handschuh
Great write-up but why aren’t iOS/Apple apps affected the same way?
Paul Ducklin
The research we’re describing here specifically looked at Android, which is why iOS doesn’t get a mention here. For clarity I have tweaked the headline to say “Android password managers”.
For a bit more information about iOS and password managers in the recently release iOS 12, you might like this:
https://nakedsecurity.sophos.com/2018/09/19/ios-12-is-here-these-are-the-security-features-you-need-to-know-about/
Simon McAllister
I don’t use any password managers. I know that Sophos regularly promote them, and those that use them must trust them. But call me a paranoid old cynic; I use my own password management techniques and I keep these techniques to myself. However, whether it be a password managers or our own manual, electronic methods, an element of trust is still put on the technology to keep them safe/secure.
Paul Ducklin
Technically, it sounds as though you *do* have and use a password manager :--)
Simon McAllister
I can’t confirm or deny :D but technically, yes
Craig
What about Keepass is it also vulnerable?
Paul Ducklin
The authors of the paper [link in article] only included five password managers in their research, and Keepass wasn’t one of them. Would it have passed if it had been tested? Can’t say.
Why not write to the authors (their email addresses are in the paper) and try to talk them into doing the tests again with a longer list of products :-)
Eric The Byte Man
KeePass for the PC doesn’t monitor and interact with the web browser- you have to tab over to KeePass and intiate the auto-type. So I don’t believe KeePass for PC would be affected.
jkwilborn
I also use a password manager, keepass… The really irritating part is that when you go to a new device, you can’t get the software to use your database unless you log in. That’s next to impossible since it’s 28 characters of random junk, I’ve never been able to re-enter it correctly. You end up using junk passwords to get it, lowering security. Seems funny that they don’t allow the ‘free’ apps to be distributed without a logging in since the platform is required to use the app.