New research from TeamSIK, a group of security professionals from the Fraunhofer Institute for Secure Information Technology in Germany, has found that popular Android password managers suffer from serious vulnerabilities that can expose user credentials.

The research tested nine Android password managers:, My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords and 1Password. It found results that “were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials.”

Each app tested was found to contain at least one low-, medium- or high-severity vulnerability, with some containing multiple vulnerabilities. Some of the vulnerabilities discovered were, in security terms, insane, with a number of the apps storing the master password in plain text or with a hard-coded crypto key implemented in the code.

For example, with Informaticore’s Password Manager, the app stored the master password in an encrypted form but the encryption key itself was found to be in the app’s code, meaning that a hacker looking to obtain the password simply had to lift the key from the app’s code base.

“In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” TeamSIK said. “Once installed on the device, this malicious app extracts all passwords/credentials in plaintext and sends them to the attacker.”

A number of other apps were found to not protect against clipboard sniffing, a process where credentials may have been copied into memory to allow a user to paste them into the password app itself but are subsequently not deleted.

Add-on features used by a number of the apps were also found to present further risks. “For example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks,” the team notes.

The good news is that most of the companies have patched the vulnerabilities after being informed of them. However, the report notes that at the time of writing Avast has yet to patch its app.

“Applications vendors advertise their password manager applications as ‘bank-level’ or ‘military-grade’ secure,” the research concludes, but “instead, they abuse the users’ confidence and expose them to high risks.”

Image: 132889348@N07/Flickr