Many Android password managers unsafe

Many password apps are not as secure as they seem. Fraunhofer SIT

The Fraunhofer Institute for Secure Information Technology (SIT) has identified serious security gaps in Android's password apps. In many of the most popular password managers, cybercriminals could easily gain access to protected information, for example, if the attacker is on the same network. The manufacturers were informed and have corrected the vulnerabilities.

However, users should ensure that they are using the updated app version. The Fraunhofer SIT experts will present the details of their analyses in April at the “Hack In The Box” conference in Amsterdam. The Institute's CodeInspect tool used for the tests will be shown at CeBIT in Hanover from 20-24 March in Hall 6, Stand B 36.

An individual password is required for each application and user account. Users can easily lose track of or forget their passwords. Here, password managers provide a remedy: The user only has to remember a single master password, all other accesses and passwords are stored securely in the application. But what if the security mechanisms have flaws? A research team at Fraunhofer SIT has analyzed a number of popular Android password manager apps. Result: Many of these password apps were unsafe.

In some of the analyzed apps, including LastPass, Dashlane, Keeper and 1Password, the security experts found several implementation errors that led to serious security gaps. “For example, some applications store the entered master password in plain text on the smartphone,” explains Dr. Siegfried Rasthofer, an Android expert at Fraunhofer SIT. As a result, encryption can easily be circumvented, and all data is available to the attacker without the user noticing it.

In addition, many applications ignore the problem of the clipboard, which makes “sniffing” possible. It means that the clipboard is not cleaned after the credentials are copied to it and that virtually any other app could access the clipboard. On top of this, who can be sure that there is no other certain app that would exploit this in order to obtain the access information to the password manager? In other cases, it would have sufficed for the attacker to be on the same network; but the loss of equipment could also have a significant risk to users.

“The security analysis of apps is part of our daily business. With CodeInspect and Appicaptor, we have developed our own tools that allow us to review apps very efficiently and in detail for their security, even when the apps’ source codes are not available. This applies to both Android and iOS,” explains Dr. Rasthofer. With its tools, Fraunhofer SIT has already revealed many weaknesses in apps. These include the ones that have resulted from careless programming, for example, but also those that were most likely built into apps intentionally.

“We have informed the manufacturers of the affected password managers about the security gaps. Everyone has responded and the vulnerabilities have been closed, “explains Rasthofer. On devices downloading apps from the App Store these issues have now been fixed. Users that have not enabled automatic updates should update the applications immediately. Which apps have been affected and further details about the vulnerabilities can be found at http://sit4.me/pw-manager

https://team-sik.org/trent_portfolio/password-manager-apps/

Media Contact

Oliver Küch Fraunhofer-Institut für Sichere Informationstechnologie SIT

All latest news from the category: Information Technology

Here you can find a summary of innovations in the fields of information and data processing and up-to-date developments on IT equipment and hardware.

This area covers topics such as IT services, IT architectures, IT management and telecommunications.

Back to home

Comments (0)

Write a comment

Newest articles

Innovative vortex beam technology

…unleashes ultra-secure, high-capacity data transmission. Scientists have developed a breakthrough optical technology that could dramatically enhance the capacity and security of data transmission (Fig. 1). By utilizing a new type…

Tiny dancers: Scientists synchronise bacterial motion

Researchers at TU Delft have discovered that E. coli bacteria can synchronise their movements, creating order in seemingly random biological systems. By trapping individual bacteria in micro-engineered circular cavities and…

Primary investigation on ram-rotor detonation engine

Detonation is a supersonic combustion wave, characterized by a shock wave driven by the energy release from closely coupled chemical reactions. It is a typical form of pressure gain combustion,…