Researchers have discovered that several leading Android-based password managers can be fooled into entering login credentials into fake phishing apps.
Password managers can be used to create, store, enter and autofill passwords into apps and websites. As well as allowing users to maintain scores of strong passwords, password managers can also provide some defence against phishing – their autofill features will enter passwords on sites they’re associated (and their mobile apps), but not on fakes.
The University of Genoa and EUROCOM’s Phishing Attacks on Modern Android study explores the difference between accessing a service through its mobile app and accessing it through its website on a desktop browser.
With desktop browsers, when a site is visited for the first time the password manager creates an association between its domain (verified by its digital certificate) and the credentials used to access it.
However, when somebody uses the website credentials to log in to an app, the process of verifying the app is more complicated and potentially less secure.
The main way password managers tell good apps from bad apps is by associating the website domain for that app with the app package name, a metadata ID checked using static or heuristically-generated associations.
The flaw is that package names can be spoofed – all the attacker has to do is create a fake app with the correct package name and the password manager will trust it enough to present the correct credentials.
The researchers found that several popular password managers were vulnerable to this kind of mapping weakness – LastPass, 1Password, Dashlane, and Keeper – with only Google Smart Lock (which isn’t primarily a password manager) able to resist.
Instant trouble
Even Google’s recently introduced Instant Apps – designed to be tried without the need for a download – could be abused by a phishing website to trigger a password manager autofill, the team discovered during testing.
This is particularly dangerous because it means it might be possible to execute a phishing attack without the need to install a fake app spoofing a package name (something Google Play doesn’t allow).
Write the researchers:
We believe this attack strategy significantly lowers the bar, with respect to all known phishing attacks on the web and mobile devices: to the best of our knowledge, this is the first attack that does not assume a malicious app already installed on the phone.
What can be done?
The problem is that the way password managers understand mapping legitimate domains to apps on Android is governed by three standards – the Accessibility Service (a11y); the Autofill Framework (Oreo 8.0 onwards); or using OpenYOLO, a separate Google-Dashlane collaboration.
The first of these, a11y, was designed for people with disabilities and ended up being used by malicious apps to abuse administrator rights, which led Google to implement Autofill Framework, and Dashlane to OpenYOLO. Unfortunately, all three standards are vulnerable to manipulation of package names, which suggests fixing this problem won’t be easy.
The researchers’ solution is a new getVerifiedDomainNames()
API that dispenses with package names in favour of checking a hardcoded association between a website domain (and subdomains) and the app connecting to it.
The drawback of this is that websites would need to start publishing an assets file containing this data, something the researchers discovered barely 2% of more than 8,000 sample domains currently bother to do.
For now, this leaves password managers to fall back on their own defences. LastPass, for one, told Naked Security that it did not believe that the weakness had led to any of its customers being compromised:
Our app now requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimise the risk of any fake apps being filled/accepted.
Naked Security believes that using a password manager is still one of simplest and most effective computer security steps you can take, and closer integration with mobile apps makes using a password manager easier.
You are much more likely to be burned by password reuse than by an autofill attack on a fake app. However, if you are concerned about this kind of attack, or similar attacks that exploit autofill features using hidden password fields, don’t abandon your password manager, just turn autofill off.