Popular Android Password Managers Found Exposing Credentials

Researchers warn that popular Android password managers in android are affected by serious vulnerabilities which can expose the user credentials.

A group of security experts from Fraunhofer Institute for Secure Information Technology named TeamSIK from Darmstadt, Germany, has analysed nine of the very famous Android password managers available on Google Play Store.

The research was focused on My Passwords from Erkan Molla, LastPass, Keeper, Informaticore’s Password Manager, Dashlane Password Manager, 1Password, F-Secure KEY, Avast Passwords, and Keepsafe, which have somewhere between 100,000 and 50 million installs.

While these apps are advertised as being very secure, all of these contained at least one low-level severity vulnerability. The TeamSIK found a total of 26 issues, most of these are patched by the vendors within one month after being reported. But, only Avast has failed to patch the security holes.

“The overall results are extremely worrying and have revealed that the password manager applications, despite their bold claims, fail to provide enough protection mechanisms for the stored passwords,” researchers said. “Instead, they misuse the users’ confidence and expose them to even greater risks.”

According to experts, some of these applications stored the master password in just plain text, or exposed encryption keys in its code. In some other cases, the users’ stored passwords can be easily accessed and exfiltrated by using a malicious application that is installed on the device.

Researchers also determined that some of the apps are vulnerable to data residue attacks and clipboard sniffing. Worryingly, many of the flaws they identified can be exploited without needing root permissions.

For example, one of the high severity flaws affected Informaticore’s Password Manager. While the app stored the master password in an encrypted form, the encryption key was found in the app’s code and it was the same for all installations. A similar flaw was also identified in LastPass.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients