APPS
APPS
APPS
Popular Android password managers fail security test
New research from TeamSIK, a group of security professionals from the Fraunhofer Institute for Secure Information Technology in Germany, has found that popular Android password managers suffer from serious vulnerabilities that can expose user credentials.
The research tested nine Android password managers:, My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords and 1Password. It found results that “were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials.”
Each app tested was found to contain at least one low-, medium- or high-severity vulnerability, with some containing multiple vulnerabilities. Some of the vulnerabilities discovered were, in security terms, insane, with a number of the apps storing the master password in plain text or with a hard-coded crypto key implemented in the code.
For example, with Informaticore’s Password Manager, the app stored the master password in an encrypted form but the encryption key itself was found to be in the app’s code, meaning that a hacker looking to obtain the password simply had to lift the key from the app’s code base.
“In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” TeamSIK said. “Once installed on the device, this malicious app extracts all passwords/credentials in plaintext and sends them to the attacker.”
A number of other apps were found to not protect against clipboard sniffing, a process where credentials may have been copied into memory to allow a user to paste them into the password app itself but are subsequently not deleted.
Add-on features used by a number of the apps were also found to present further risks. “For example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks,” the team notes.
The good news is that most of the companies have patched the vulnerabilities after being informed of them. However, the report notes that at the time of writing Avast has yet to patch its app.
“Applications vendors advertise their password manager applications as ‘bank-level’ or ‘military-grade’ secure,” the research concludes, but “instead, they abuse the users’ confidence and expose them to high risks.”
Image: 132889348@N07/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
