Security issues found in nine password managers for Android (LastPass, Dashlane..)
Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research.
Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such as password generation, automatic sign ins, or the saving of important data such as Credit Card numbers or Pins.
A recent study by the Fraunhofer Institute looked at nine password managers for Google's Android operating system from a security point of view. The researchers analyzed the following password managers: LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, Keeper, and Avast Passwords.
Some of the apps have more than 50 million installations, and all at least 100,000 installations.
Password Managers on Android security analysis
The team's conclusion should have anyone worried who implements a password manager on Android. While it is unclear whether other password manager applications for Android have vulnerabilities as well, there is at least a chance that this is indeed the case.
The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.
At least one security vulnerability was identified in each of the apps the researchers analyzed. This went as far as some applications storing the master key in plain text, and others using hard-coded cryptographic keys in code. In another case, installation of a simple helper application extracted the passwords stored by the password application.
Three vulnerabilities were identified in LastPass alone. First a hard-coded master key, then data leaks in browser search, and finally a vulnerability affecting LastPass on Android 4.0.x and lower which allows attackers to steal the stored master password.
- SIK-2016-022: Hardcoded Master Key in LastPass Password Manager
- SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
- SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager
Four vulnerabilities were identified in Dashlane, another popular password manager application. These vulnerabilities allowed attackers to read private data from the app folder, abuse information leaks, and run an attack to extract the master password.
- SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
- SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
- SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
- SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser
The popular 1Password application four Android had five vulnerabilities including privcacy issues and password leaking.
- SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
- SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
- SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
- SIK-2016-041: Read Private Data From App Folder in 1Password Manager
- SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager
You can check out the full list of apps analyzed and the vulnerabilities on the Fraunhofer Institute website.
Note: All disclosed vulnerabilities have been fixed by the companies who develop the applications. Some fixes are still in development. It is recommended that you update the applications as soon as possible if you run them on your mobile devices.
The conclusion of the research team is quite devastating:
While this shows that even the most basic functions of a password manager are often vulnerable, these apps also provide additional features, which can, again, affect security. We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using “hidden phishing†attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.
Now You: Do you use a password manager application? (via The Hacker News)
so are you better with the old fashioned write it down?at home
A not so famous web-based password manager is Clipperz. Its code has been audited by security experts.
Easy fix buy Apple devices
security and Android just don’t mix simply because unless you have the latest high end device or Nexus (Pixel) you don’t get security updates, and every app has full internet access with no way to block them.
One thing to keep in mind when using password managers: every app on android can read the clipboard and listen to changes, without any special permissions. Keepass2Android therefore provides a special keyboard that enters the credentials to prevent such sniffing, although the notification for copy/paste is also enabled by default as far as I remember.
This is very true. It’s amazing how unsecure certain parts of Android are.
Note that XPrivacy can prevent any application from accessing the clipboard. It does generate an annoying toast each time.
Again ? – Can Not Believe It !
Lots Of People Can Find A Way Of Easily Create And Remember Individual Passwords Using Their Brain Only, But The Lazy Way Is A Lot Easier.
Giving All Your Life Keys To A Third Party Software Or Service – What Could Possibly Go Wrong ?
—
That is a clear indication these programs may have additional undiscovered or undisclosed security issues. Entrusting third party with your passwords adds another potentially weak link. I do not recommend using any of them.
“All disclosed vulnerabilities have been fixed by the companies who develop the applications.”
This is the only thing that matters.
This. You are always going to find vulnerabilities as long as they are fixed when they are reported.
Sure, until next time. And then ? Same BS over and over again. And as long as you are using a password manager, well, don’t complain if something goes wrong. Nobody is forcing you to use one.
Hi,
any bad news about keepass?
That is what I want to know. The best one was omitted from the test.
Maybe they did test both KeePassDroid and Keepass2Android and nothing came up, both seem to be open source and the former has 1 million downloads so it would be silly not to try and research them. I certainly hope KeePass is safe!
Desktop: I don’t use password managers I have it in a notepad in a removable drive.
Android: I don’t use password manager applications.