Many Android password managers unsafe

The Fraunhofer Institute for Secure Information Technology (SIT) has identified serious security gaps in Android's password apps. In many of the most popular password managers, cybercriminals could easily gain access to protected information, for example, if the attacker is on the same network. The manufacturers were informed and have corrected the vulnerabilities.

However, users should ensure that they are using the updated app version. The Fraunhofer SIT experts will present the details of their analyses in April at the “Hack In The Box” conference in Amsterdam. The Institute's CodeInspect tool used for the tests will be shown at CeBIT in Hanover from 20-24 March in Hall 6, Stand B 36.

An individual password is required for each application and user account. Users can easily lose track of or forget their passwords. Here, password managers provide a remedy: The user only has to remember a single master password, all other accesses and passwords are stored securely in the application. But what if the security mechanisms have flaws? A research team at Fraunhofer SIT has analyzed a number of popular Android password manager apps. Result: Many of these password apps were unsafe.

In some of the analyzed apps, including LastPass, Dashlane, Keeper and 1Password, the security experts found several implementation errors that led to serious security gaps. “For example, some applications store the entered master password in plain text on the smartphone,” explains Dr. Siegfried Rasthofer, an Android expert at Fraunhofer SIT. As a result, encryption can easily be circumvented, and all data is available to the attacker without the user noticing it.

In addition, many applications ignore the problem of the clipboard, which makes “sniffing” possible. It means that the clipboard is not cleaned after the credentials are copied to it and that virtually any other app could access the clipboard. On top of this, who can be sure that there is no other certain app that would exploit this in order to obtain the access information to the password manager? In other cases, it would have sufficed for the attacker to be on the same network; but the loss of equipment could also have a significant risk to users.

“The security analysis of apps is part of our daily business. With CodeInspect and Appicaptor, we have developed our own tools that allow us to review apps very efficiently and in detail for their security, even when the apps’ source codes are not available. This applies to both Android and iOS,” explains Dr. Rasthofer. With its tools, Fraunhofer SIT has already revealed many weaknesses in apps. These include the ones that have resulted from careless programming, for example, but also those that were most likely built into apps intentionally.

“We have informed the manufacturers of the affected password managers about the security gaps. Everyone has responded and the vulnerabilities have been closed, “explains Rasthofer. On devices downloading apps from the App Store these issues have now been fixed. Users that have not enabled automatic updates should update the applications immediately. Which apps have been affected and further details about the vulnerabilities can be found at http://sit4.me/pw-manager

https://team-sik.org/trent_portfolio/password-manager-apps/