A study by Indian experts revealed a fundamental problem in Android security.
At the Black Hat Europe was presented. Indian researchers at the International Institute of Information Technology in Hyderabad have found that most Android password managers are vulnerable to this attack, even without JavaScript implementation. And with the introduction of JavaScript, absolutely all password managers for the green operating system become vulnerable.
AutoSpill exploits a vulnerability in the process of autofilling credentials in Android applications, where the WebView component is often used to display web pages. Password managers use WebView to automatically enter user data on web login pages. The researchers found that it is possible to intercept autofill credentials during this process.
Tests conducted on Android 10, 11, and 12 showed that password managers such as 1Password, LastPass, Enpass, Keeper, and Keepass2Android were the most vulnerable to this attack. While Google Smart Lock and DashLane turned out to be less vulnerable, unless, of course, JavaScript injections are used.
Representatives of the above-mentioned products, as well as the Android security team, were notified of the vulnerability. The 1Password team reported that the AutoSpill fix is already being worked on. LastPass claims that experts have already implemented mechanisms that mitigate the attack, such as pop-up warnings when malicious exploitation is attempted. Keeper Security stressed the importance of high-quality moderation of applications in Google Play, since to successfully exploit the vulnerability, you must first install malware on your device.
A Google representative emphasized: "Android provides password managers with the necessary context to distinguish between their own views and WebViews, as well as to determine whether the downloaded WebView is not associated with the host application" and recommended that developers of such projects be careful about where exactly passwords are entered.
The discovery of this vulnerability highlights the importance of making informed use of autocomplete features and the need for software developers to take steps to improve data protection. Users, in turn, should be vigilant, even when installing applications through Google Play.
At the Black Hat Europe was presented. Indian researchers at the International Institute of Information Technology in Hyderabad have found that most Android password managers are vulnerable to this attack, even without JavaScript implementation. And with the introduction of JavaScript, absolutely all password managers for the green operating system become vulnerable.
AutoSpill exploits a vulnerability in the process of autofilling credentials in Android applications, where the WebView component is often used to display web pages. Password managers use WebView to automatically enter user data on web login pages. The researchers found that it is possible to intercept autofill credentials during this process.
Tests conducted on Android 10, 11, and 12 showed that password managers such as 1Password, LastPass, Enpass, Keeper, and Keepass2Android were the most vulnerable to this attack. While Google Smart Lock and DashLane turned out to be less vulnerable, unless, of course, JavaScript injections are used.
Representatives of the above-mentioned products, as well as the Android security team, were notified of the vulnerability. The 1Password team reported that the AutoSpill fix is already being worked on. LastPass claims that experts have already implemented mechanisms that mitigate the attack, such as pop-up warnings when malicious exploitation is attempted. Keeper Security stressed the importance of high-quality moderation of applications in Google Play, since to successfully exploit the vulnerability, you must first install malware on your device.
A Google representative emphasized: "Android provides password managers with the necessary context to distinguish between their own views and WebViews, as well as to determine whether the downloaded WebView is not associated with the host application" and recommended that developers of such projects be careful about where exactly passwords are entered.
The discovery of this vulnerability highlights the importance of making informed use of autocomplete features and the need for software developers to take steps to improve data protection. Users, in turn, should be vigilant, even when installing applications through Google Play.
