Password managers promise not only to make life easy, but also to keep your login information safe from prying eyes. Yet one team of researchers has discovered that someone with bad intentions can take advantage of mobile password managers to gain unauthorized access to their accounts.
Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM found that certain Android password managers can be tricked into entering valid login credentials into phishing apps. The trick even works with Google’s try-before-you-buy Instant Apps, which allows users to take apps for a spin without actually installing their contents on the device.
The trio put to the test a number of popular password managers, including 1Password, Dashlane, Keeper, LastPass, and Google Smart Lock. All but the last were found vulnerable to their proof-of-concept which they explain as follows:
“To exploit the first mapping strategy, the attacker can create an app with a package name beginning with the reverse of the target domain name. For example, we created an app with package name com.facebook.evil and we were able to upload it to the Play Store without problems: when the user opens this app, LastPass automatically suggests credentials related to facebook.com.”
Unlike web password managers, which check the website domain name and other aspects to determine whether to auto-fill credentials, Android password managers only look at the app’s package name to authorize.
Fixing the problem would require quite an effort on behalf of website owners and application developers alike, the researchers said. The former group would have to create new APIs for the developers to interrogate in the authorization process. A quick solution would be to mimic Google Smart Lock’s functionality:
“Google Smart Lock has addressed these problems by not relying on a fully automatic technique (developers need to manually fill a Google form) and by supporting app-to-web sync only when a secure mapping exists. We argue that the rest of password managers should follow a similar approach and warn the user about potential problems when a secure app-to-web association cannot be established,” the researchers said.