UPDATED 00:54 EST / MARCH 01 2017

APPS

Popular Android password managers fail security test

New research from TeamSIK, a group of security professionals from the Fraunhofer Institute for Secure Information Technology in Germany, has found that popular Android password managers suffer from serious vulnerabilities that can expose user credentials.

The research tested nine Android password managers:, My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords and 1Password. It found results that “were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials.”

Each app tested was found to contain at least one low-, medium- or high-severity vulnerability, with some containing multiple vulnerabilities. Some of the vulnerabilities discovered were, in security terms, insane, with a number of the apps storing the master password in plain text or with a hard-coded crypto key implemented in the code.

For example, with Informaticore’s Password Manager, the app stored the master password in an encrypted form but the encryption key itself was found to be in the app’s code, meaning that a hacker looking to obtain the password simply had to lift the key from the app’s code base.

“In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” TeamSIK said. “Once installed on the device, this malicious app extracts all passwords/credentials in plaintext and sends them to the attacker.”

A number of other apps were found to not protect against clipboard sniffing, a process where credentials may have been copied into memory to allow a user to paste them into the password app itself but are subsequently not deleted.

Add-on features used by a number of the apps were also found to present further risks. “For example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks,” the team notes.

The good news is that most of the companies have patched the vulnerabilities after being informed of them. However, the report notes that at the time of writing Avast has yet to patch its app.

“Applications vendors advertise their password manager applications as ‘bank-level’ or ‘military-grade’ secure,” the research concludes, but “instead, they abuse the users’ confidence and expose them to high risks.”

Image: 132889348@N07/Flickr

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.