Researchers at Fraunhofer SIT have found security gaps in Android password management apps - users should update apps
The Fraunhofer Institute for Secure Information Technology (SIT) has identified serious security gaps in Android's password apps. In many of the most popular password managers, cybercriminals could easily gain access to protected information, for example, if the attacker is on the same network. The manufacturers were informed and have corrected the vulnerabilities.
However, users should ensure that they are using the updated app version. The Fraunhofer SIT experts will present the details of their analyses in April at the "Hack In The Box" conference in Amsterdam. The Institute's CodeInspect tool used for the tests will be shown at CeBIT in Hanover from 20-24 March in Hall 6, Stand B 36.
An individual password is required for each application and user account. Users can easily lose track of or forget their passwords. Here, password managers provide a remedy: The user only has to remember a single master password, all other accesses and passwords are stored securely in the application. But what if the security mechanisms have flaws? A research team at Fraunhofer SIT has analyzed a number of popular Android password manager apps. Result: Many of these password apps were unsafe.
In some of the analyzed apps, including LastPass, Dashlane, Keeper and 1Password, the security experts found several implementation errors that led to serious security gaps. "For example, some applications store the entered master password in plain text on the smartphone," explains Dr. Siegfried Rasthofer, an Android expert at Fraunhofer SIT. As a result, encryption can easily be circumvented, and all data is available to the attacker without the user noticing it.
In addition, many applications ignore the problem of the clipboard, which makes "sniffing" possible. It means that the clipboard is not cleaned after the credentials are copied to it and that virtually any other app could access the clipboard. On top of this, who can be sure that there is no other certain app that would exploit this in order to obtain the access information to the password manager? In other cases, it would have sufficed for the attacker to be on the same network; but the loss of equipment could also have a significant risk to users.
"The security analysis of apps is part of our daily business. With CodeInspect and Appicaptor, we have developed our own tools that allow us to review apps very efficiently and in detail for their security, even when the apps’ source codes are not available. This applies to both Android and iOS," explains Dr. Rasthofer. With its tools, Fraunhofer SIT has already revealed many weaknesses in apps. These include the ones that have resulted from careless programming, for example, but also those that were most likely built into apps intentionally.
"We have informed the manufacturers of the affected password managers about the security gaps. Everyone has responded and the vulnerabilities have been closed, "explains Rasthofer. On devices downloading apps from the App Store these issues have now been fixed. Users that have not enabled automatic updates should update the applications immediately. Which apps have been affected and further details about the vulnerabilities can be found at http://sit4.me/pw-manager
Oliver Küch | Fraunhofer-Institut für Sichere Informationstechnologie SIT
Cloud technology: Dynamic certificates make cloud service providers more secure
15.01.2018 | Technische Universität München
New discovery could improve brain-like memory and computing
10.01.2018 | University of Minnesota
What enables electrons to be transferred swiftly, for example during photosynthesis? An interdisciplinary team of researchers has worked out the details of how...
For the first time, scientists have precisely measured the effective electrical charge of a single molecule in solution. This fundamental insight of an SNSF Professor could also pave the way for future medical diagnostics.
Electrical charge is one of the key properties that allows molecules to interact. Life itself depends on this phenomenon: many biological processes involve...
At the JEC World Composite Show in Paris in March 2018, the Fraunhofer Institute for Laser Technology ILT will be focusing on the latest trends and innovations in laser machining of composites. Among other things, researchers at the booth shared with the Aachen Center for Integrative Lightweight Production (AZL) will demonstrate how lasers can be used for joining, structuring, cutting and drilling composite materials.
No other industry has attracted as much public attention to composite materials as the automotive industry, which along with the aerospace industry is a driver...
Scientists at Tokyo Institute of Technology (Tokyo Tech) and Tohoku University have developed high-quality GFO epitaxial films and systematically investigated their ferroelectric and ferromagnetic properties. They also demonstrated the room-temperature magnetocapacitance effects of these GFO thin films.
Multiferroic materials show magnetically driven ferroelectricity. They are attracting increasing attention because of their fascinating properties such as...
The oceans are the largest global heat reservoir. As a result of man-made global warming, the temperature in the global climate system increases; around 90% of...
08.01.2018 | Event News
11.12.2017 | Event News
08.12.2017 | Event News
17.01.2018 | Ecology, The Environment and Conservation
17.01.2018 | Physics and Astronomy
17.01.2018 | Awards Funding