Popular Android Password Managers Expose Credentials

Popular Android password managers are affected by serious vulnerabilities that can expose user credentials, researchers warned on Tuesday.

TeamSIK, a group of security experts from the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, has analyzed nine of the most popular Android password managers available on Google Play.

The research focused on My Passwords from Erkan Molla, Informaticore’s Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane Password Manager, Keepsafe, Avast Passwords, and 1Password, which have between 100,000 and 50 million installs.

While the apps are advertised as being highly secure, they each contained at least one low, medium or high severity vulnerability. TeamSIK has discovered a total of 26 issues, many of which were patched by vendors within one month after being reported. Only Avast has failed to patch some of the security holes.

“The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials,” researchers said. “Instead, they abuse the users` confidence and expose them to high risks.”

According to the experts, some of the applications stored the master password in plain text, or exposed encryption keys in the code. In some cases, the users’ stored passwords could have been easily accessed and exfiltrated by a malicious application installed on the device.

Researchers also determined that some of the apps are vulnerable to data residue attacks and clipboard sniffing. Worryingly, many of the flaws they identified can be exploited without needing root permissions.

For example, one of the high severity flaws affected Informaticore’s Password Manager. While the app stored the master password in an encrypted form, the encryption key was found in the app’s code and it was the same for all installations. A similar flaw was also identified in LastPass.

The most popular of the apps, Keeper and Keepsafe, had two medium and one low-medium vulnerabilities, respectively.

TeamSIK’s analysis showed that built-in web browsers and features such as autofill can also introduce security risks.

“We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage,” researchers explained.

Technical details have been made available for each of the patched vulnerabilities. 

Related: Android VPNs Introduce Security, Privacy Risks

Related: App-in-the-Middle Attacks Bypass Android Sandbox

Related: Insecure Android Apps Expose Connected Cars