Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research.
Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such as password generation, automatic sign ins, or the saving of important data such as Credit Card numbers or Pins.
A recent study by the Fraunhofer Institute looked at nine password managers for Google's Android operating system from a security point of view. The researchers analyzed the following password managers: LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, Keeper, and Avast Passwords.
Some of the apps have more than 50 million installations, and all at least 100,000 installations.
The team's conclusion should have anyone worried who implements a password manager on Android. While it is unclear whether other password manager applications for Android have vulnerabilities as well, there is at least a chance that this is indeed the case.
The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.
At least one security vulnerability was identified in each of the apps the researchers analyzed. This went as far as some applications storing the master key in plain text, and others using hard-coded cryptographic keys in code. In another case, installation of a simple helper application extracted the passwords stored by the password application.
Three vulnerabilities were identified in LastPass alone. First a hard-coded master key, then data leaks in browser search, and finally a vulnerability affecting LastPass on Android 4.0.x and lower which allows attackers to steal the stored master password.
Four vulnerabilities were identified in Dashlane, another popular password manager application. These vulnerabilities allowed attackers to read private data from the app folder, abuse information leaks, and run an attack to extract the master password.
The popular 1Password application four Android had five vulnerabilities including privcacy issues and password leaking.
You can check out the full list of apps analyzed and the vulnerabilities on the Fraunhofer Institute website.
Note: All disclosed vulnerabilities have been fixed by the companies who develop the applications. Some fixes are still in development. It is recommended that you update the applications as soon as possible if you run them on your mobile devices.
The conclusion of the research team is quite devastating:
While this shows that even the most basic functions of a password manager are often vulnerable, these apps also provide additional features, which can, again, affect security. We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using “hidden phishing” attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.
Now You: Do you use a password manager application? (via The Hacker News)
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.