The security credentials of Password Managers on Android called into question after discovery of multiple flaws
Android’s perennial security headache continues after researchers uncovered multiple flaws with popular Password Managers on the platform.
Researchers TeamSIK found flaws with all top nine password manager apps that can be downloaded from the Google Play Store.
Password managers are intended to help users having to contend with remembering all the complex passwords needed today in the online world.
Enter the Password Manager app, which traditionally allows the users to access all their passwords if they enter a secret master password.
“However, can users be sure that their secrets are actually stored securely?,” asked the researchers in their blog. “Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?”
“We performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count,” they wrote. “The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users’ confidence and expose them to high risks.”
The researchers found at least one security issue with nine of the most popular Android-based Password Manager apps. The apps tested include MyPasswords; Informaticore Password Manager; LastPass Password Manager; Keeper Passwort-Manager; F-Secure KEY Password Manager; Dashlane Password Manager; Hide Pictures Keep Safe Vault; Avast Passwords; and finally 1Password – Password Manager.
“We found several implementation flaws resulting in serious security vulnerabilities,” said the researchers. “Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code. Consequently, attackers can easily circumvent the crypto algorithm altogether and thereby gain access to all of the user’s data.
“In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” they warned. “In yet another case, we could use a so-called data residue attack to access the master key of an application. In most of the cases, no root permissions were required for a successful attack that gave us access to sensitive information such as the aforementioned master password.
But the good news for Android users is that all the vendors have now patched their apps.
Password manager apps are increasingly popular download for many users nowadays. Last November LastPass announced that its tool was free to use across any device, and it allowed passwords to be synced across laptops, smartphones, and tablets.
This situation is so endemic for example that Microsoft recently took the decision to ban simple passwords on all its accounts.