Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate (zdnet.com) 73
A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.
[...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.
[...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.
Re: (Score:1, Offtopic)
This is why I use APK's host files thing!
durrrrrrr (Score:2, Funny)
This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.
Re: durrrrrrr (Score:4, Insightful)
Your accounts security for all those applications is equal to the weakest security of any of those apps. If any of them are compromised, have reversible encryption or worse, store their user passwords in plain text, you will get owned. Do not do this.
Re:durrrrrrr (Score:4, Interesting)
This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.
Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:
a1h8passwud123##
Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)
Re: (Score:2)
I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula
If I saw your password for two sites I'd know generally what you're doing, and what the invariant portion is. What's left is a 4-6 character alphanumeric password; maximum entropy 31 bits. You really don't gain a great deal with the invariant string, other than fooling password strength meters, and maybe yourself.
Re: (Score:2)
I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula
If I saw your password for two sites I'd know generally what you're doing, and what the invariant portion is. What's left is a 4-6 character alphanumeric password; maximum entropy 31 bits. You really don't gain a great deal with the invariant string, other than fooling password strength meters, and maybe yourself.
Not that I am going to give away my passwords, but I guarantee you wouldn't be able to figure out my formula from knowing any two passwords. :)
Re: (Score:2)
Re: (Score:2)
This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.
Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:
a1h8passwud123##
Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)
I think your formula is far too complex. Did I swap the o for a u or a zero, where was the 8, how many hashes was it, did I use the fourth or fifth letter because this websites got a space in the name... so on and so forth. Further more, it's based on a dictionary word with common substitutions making it easier to guess. A better password is:
Frank1
That's all you should have to remember to make a complex password. A simple for or 5 letter word, followed by a number. In the case of requiring a special c
Re: (Score:2)
"Frank1!" would be very easy for a computer to guess. I'm not an expert, but I suspect "Frank1!frank1!frank1!frank" is only slightly better. If you're not going to use a long random password, a series of several unrelated words is best. "jalopy mango disappointed eraser" for example. I would recommend just getting a password manager and being careful about what apps you install.
No mention of KeePass (Score:3)
It's curious that there's no mention at all of KeePass and its Android integration apps like the one I use, KeePass2Android. It uses an alternative keyboard to manually inject usernames and passwords, so is it vulnerable to the same trickery?
Re: (Score:2, Interesting)
It doesn't appear to me that this would be a problem for KeePass. The version of Keepass I'm using doesn't autofill fields, which while mildly annoying, means that it's a lot less likely to have applications doing things like this as you'd have to manually paste the information into the wrong app.
Re: (Score:2)
With Keepassdroid, at least, there is a configurable timeout for clearing the clipboard. So you would have to swipe my phone within 5 minutes of me doing the copy-paste, and if I was at all concerned about that I would set it to 30 seconds.
You are trading a user-configurable window of potential insecurity for the ability to have arbitrarily complex, unique passwords which you can use on your phone. Seems worth it to me.
Re: (Score:2)
With KeePass Droid, the clear clipboard timeout DOES NOT WORK on most phones.
On Android, all apps have access to the clipboard (or "Clip Tray").
Re: (Score:2)
I don't know about most, but I just tested it on my Xperia X and it worked as expected.
Certainly a malicious app could access the clipboard, but if I go installing malicious apps then all bets are off IMHO.
Re: (Score:2)
Nope, a copy/paste buffer is not used in the process, at least not with KeePass2Android. You haven't actually used it, have you? The only way you compromise anything is if you can swipe my phone right out of my hands with the database unlocked.
Re: No mention of KeePass (Score:2)
The copy paste buffer IS used, but is only one option. The other option, as mentioned earlier, is using the keepass "keyboard" which does not use the buffer.
Re: (Score:2)
I, too, would like to see analysis for KeePass2Android (both with and without registration as an Android keyboard) and for Password Store.
Re: (Score:2)
Or it is the only one on this list that doesn't store the passwords in a reversible encryption with a key on a 3rd party site; virtually guaranteeing it will be cracked eventually.
Re: (Score:2)
Are you saying the others store the key on their site? If so, do you have a reference? If not, yes it can certainly be cracked, but "eventually" is a long time. If an attacker cracks my password vault 150 years after I'm dead, I really don't care. The question is, if someone gets hold of a bunch of password databases, how long would it likely take them to crack mine, given that they would have to crack each file separately?
Re: (Score:2)
The online-based password fillers have to keep the key on the server side, you can access the unencrypted passwords via the website once you log in. Hopefully they would keep separate keys for each user. But it is only a matter of time before one of them gets hacked or man-in-the-middled.
With KeePass, even if you store your vault in the cloud, the master key or password is not there.
However you are right about the usefulness of any encryption. It is only to make it prohibitively expensive or time consuming
Re: (Score:2)
The online-based password fillers have to keep the key on the server side
I don't think that's true. "...exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data... Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors."
https://lastpass.com/whylastpass_technology.php
Re: (Score:2)
That is pretty interesting. We use LastPass at work, but I have never dug deep into how it works. I don't trust it enough for my personal use.
But it seems that since they are using reversible encryption, that anyone getting access to their database can decrypt your passwords.
Re: (Score:2)
But it seems that since they are using reversible encryption, that anyone getting access to their database can decrypt your passwords.
That's not how encryption works. You have to have the key to decrypt it. If anyone with access to the database could get the passwords, that would mean they were not encrypted.
Re: (Score:2)
Yeah, but multiple individual user accounts at LastPass can view the same set of passwords. (We use it for company shared accounts and passwords.) So the user's password does not encrypt the password (for LastPass, at least).
Maybe they encrypt the company shared password with the user's password, I don't know. And that is the reason why I don't use it for things that matter, such as my personal passwords.
Re: (Score:2)
I think how it works is each user has their own vault, encrypted with their own password. What I'm not sure of is how they handle synchronization. It's possible that passwords are stored without user encryption on the server until they're synchronized. I didn't see anything explaining that in their FAQs. Support would probably be responsive if you wanted to ask them.
Re: (Score:3)
No, and that's why I don't mind the extra step of copy and paste password from keepass. that's exactly why it isn't vulnerable to this kind of thing.
Re: (Score:2)
Accessibility options and alternative keyboards is what Lastpass and others used to use. Android now has an autofill API for this. The question not answered in the summary is whether the flaw is with the implementation of this new API or the apps themselves.
This is a user flaw not a password manager flaw (Score:4, Interesting)
The user is the one who was tricked into installing the fake app. Personally, I don't think that apps and websites should be sharing passwords. If I download a new app, I expect to have to type in the password the first time I use it. But even requiring the user to type in the password doesn't fix the problem they are talking about which is when the user thinks it's the real app and willingly gives the app their password either from a password manager or manually.
Re: (Score:2)
Re: (Score:2)
A lot of apps are just mobile interfaces to services that also have web pages. Why would you have different passwords for each interface? Should there be a different password if you have a desktop app? What about a mobile browser?
I didn't say different passwords. I said that you shouldn't be autofilling from one to the other until they use if for the first time. They shouldn't be trying to link the app with the website. The user should be the one doing that. I see no reason to expect a password manager to carry my password across from the website to the app unless I specifically tell it to. Even if it does, this is still a user screwup that would still happen without a password manager.
Re: (Score:2)
If you were already tricked into downloading a fake Facebook app, for example, it doesn't really matter whether it auto-fills as you'll just choose the corresponding web site when it asks to sign in anyway.
Re: (Score:2)
Personally, I don't think that apps and websites should be sharing passwords.
Ah so you mean the password manager shouldn't share passwords? The problem with that is when the website and app use the same password and you update it in one, then the other now has the incorrect password and it would be a pain to update. I know lastpass at least asks which password should be used for an app if it's a new one that's not linked anywhere else. I guess it's more of a convenience thing that you have to look out for if you download sketchy apps
Re: (Score:2)
What's a "real" app? Answer that and we can discuss how people can avoid fake ones.
If Apple and Google are going to insist on having walled gardens they should also guarantee that these walled gardens are safe. Who is asleep at the wheel and approving clones of popular sites? They need to either police their walled garden or get rid of it. If they got rid of the walled garden then third parties could start offering malware scanners, etc... to alert people of malicious apps.
Re: (Score:2)
It's why I asked at the start what is "real". Because beyond even "good" or "bad", defining "real" and "fake" are even harder problems to crack even for humans.
You don't have to strictly define "real" vs "fake" for every questionable app for this to be a non-issue. You just have to make sure that apps that matter (banking apps and fortune 500 apps) are made by actual banks and actual fortune 500 companies. We are talking about maybe a few thousand companies max that need to be properly vetted. If you make sure there are no fake clones of the banking apps and the top 50-100 most popular email and social apps then you have eliminated 99.9% of the potential attack
Comment removed (Score:5, Insightful)
Re: (Score:3)
Yeah! The BEST most insightful thing to using a phone whose SOLE feature is apps that extend it... is to NOT use apps.
The BEST way to not get viruses from the internet isn't to make secure browsers, but instead, visit ZERO websites. I've been using Internet Explorer 5 for over a decade with no viruses!
Re: (Score:2)
Yeah! The BEST most insightful thing to using a phone whose SOLE feature is apps that extend it... is to NOT use apps.
The BEST way to not get viruses from the internet isn't to make secure browsers, but instead, visit ZERO websites. I've been using Internet Explorer 5 for over a decade with no viruses!
You can still get a virus on a machine connected to the internet without visiting a website if you don't have a firewall.
Re: (Score:3)
Most apps can be used directly in the web browser (examples: Gmail, youtube, yelp). I don't need to have a lot of stuff cluttering my phone's desktop.
Re: (Score:2)
Or you could use Android, and install as many apps as you want (or have room for anyway) and only put the shortcuts you want on your desktop. Or install a launcher that doesn't put any apps at all on the desktop.
Re: (Score:2)
I know. We should be able to accuse anyone of anything and destroy their lives! It's up to the accused to prove they didn't do anything if they want to have a clear name.
You people are insane.
Re: (Score:2)
Re: (Score:2)
My question is this. Is it our turn to laugh at, well, NOT ALL Android fanboys, but the ones who take to places like this and mock Apple, Inc. product users whenever there's a problem in Appletania, is now our time to point and laugh?
You can always do that.
Re: (Score:2)
Hmmm... (Score:2)
The only password manager to work securely is one run by the OS maker, who use an undocumented API. This sounds very shades of the mid-90's.