Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Android Privacy

Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate (zdnet.com) 73

A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.

[...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.

This discussion has been archived. No new comments can be posted.

Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate

Comments Filter:
  • durrrrrrr (Score:2, Funny)

    by Anonymous Coward

    This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.

    • Re: durrrrrrr (Score:4, Insightful)

      by saloomy ( 2817221 ) on Wednesday September 26, 2018 @12:49PM (#57380184)

      Your accounts security for all those applications is equal to the weakest security of any of those apps. If any of them are compromised, have reversible encryption or worse, store their user passwords in plain text, you will get owned. Do not do this.

    • Re:durrrrrrr (Score:4, Interesting)

      by Oswald McWeany ( 2428506 ) on Wednesday September 26, 2018 @12:54PM (#57380206)

      This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.

      Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:

      a1h8passwud123##

      Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)

      • I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula

        If I saw your password for two sites I'd know generally what you're doing, and what the invariant portion is. What's left is a 4-6 character alphanumeric password; maximum entropy 31 bits. You really don't gain a great deal with the invariant string, other than fooling password strength meters, and maybe yourself.

        • I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula

          If I saw your password for two sites I'd know generally what you're doing, and what the invariant portion is. What's left is a 4-6 character alphanumeric password; maximum entropy 31 bits. You really don't gain a great deal with the invariant string, other than fooling password strength meters, and maybe yourself.

          Not that I am going to give away my passwords, but I guarantee you wouldn't be able to figure out my formula from knowing any two passwords. :)

      • by mjwx ( 966435 )

        This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.

        Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:

        a1h8passwud123##

        Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)

        I think your formula is far too complex. Did I swap the o for a u or a zero, where was the 8, how many hashes was it, did I use the fourth or fifth letter because this websites got a space in the name... so on and so forth. Further more, it's based on a dictionary word with common substitutions making it easier to guess. A better password is:

        Frank1

        That's all you should have to remember to make a complex password. A simple for or 5 letter word, followed by a number. In the case of requiring a special c

        • by nasch ( 598556 )

          "Frank1!" would be very easy for a computer to guess. I'm not an expert, but I suspect "Frank1!frank1!frank1!frank" is only slightly better. If you're not going to use a long random password, a series of several unrelated words is best. "jalopy mango disappointed eraser" for example. I would recommend just getting a password manager and being careful about what apps you install.

  • by macraig ( 621737 ) <mark.a.craig@gmail . c om> on Wednesday September 26, 2018 @11:47AM (#57379820)

    It's curious that there's no mention at all of KeePass and its Android integration apps like the one I use, KeePass2Android. It uses an alternative keyboard to manually inject usernames and passwords, so is it vulnerable to the same trickery?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      It doesn't appear to me that this would be a problem for KeePass. The version of Keepass I'm using doesn't autofill fields, which while mildly annoying, means that it's a lot less likely to have applications doing things like this as you'd have to manually paste the information into the wrong app.

    • by q4Fry ( 1322209 )

      I, too, would like to see analysis for KeePass2Android (both with and without registration as an Android keyboard) and for Password Store.

    • No, and that's why I don't mind the extra step of copy and paste password from keepass. that's exactly why it isn't vulnerable to this kind of thing.

    • Accessibility options and alternative keyboards is what Lastpass and others used to use. Android now has an autofill API for this. The question not answered in the summary is whether the flaw is with the implementation of this new API or the apps themselves.

  • by Wycliffe ( 116160 ) on Wednesday September 26, 2018 @11:56AM (#57379878) Homepage

    The user is the one who was tricked into installing the fake app. Personally, I don't think that apps and websites should be sharing passwords. If I download a new app, I expect to have to type in the password the first time I use it. But even requiring the user to type in the password doesn't fix the problem they are talking about which is when the user thinks it's the real app and willingly gives the app their password either from a password manager or manually.

    • by Ksevio ( 865461 )
      A lot of apps are just mobile interfaces to services that also have web pages. Why would you have different passwords for each interface? Should there be a different password if you have a desktop app? What about a mobile browser?
      • A lot of apps are just mobile interfaces to services that also have web pages. Why would you have different passwords for each interface? Should there be a different password if you have a desktop app? What about a mobile browser?

        I didn't say different passwords. I said that you shouldn't be autofilling from one to the other until they use if for the first time. They shouldn't be trying to link the app with the website. The user should be the one doing that. I see no reason to expect a password manager to carry my password across from the website to the app unless I specifically tell it to. Even if it does, this is still a user screwup that would still happen without a password manager.

        • If you were already tricked into downloading a fake Facebook app, for example, it doesn't really matter whether it auto-fills as you'll just choose the corresponding web site when it asks to sign in anyway.

        • by Ksevio ( 865461 )

          Personally, I don't think that apps and websites should be sharing passwords.

          Ah so you mean the password manager shouldn't share passwords? The problem with that is when the website and app use the same password and you update it in one, then the other now has the incorrect password and it would be a pain to update. I know lastpass at least asks which password should be used for an app if it's a new one that's not linked anywhere else. I guess it's more of a convenience thing that you have to look out for if you download sketchy apps

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday September 26, 2018 @11:57AM (#57379894)
    Comment removed based on user account deletion
    • Yeah! The BEST most insightful thing to using a phone whose SOLE feature is apps that extend it... is to NOT use apps.

      The BEST way to not get viruses from the internet isn't to make secure browsers, but instead, visit ZERO websites. I've been using Internet Explorer 5 for over a decade with no viruses!

      • Yeah! The BEST most insightful thing to using a phone whose SOLE feature is apps that extend it... is to NOT use apps.

        The BEST way to not get viruses from the internet isn't to make secure browsers, but instead, visit ZERO websites. I've been using Internet Explorer 5 for over a decade with no viruses!

        You can still get a virus on a machine connected to the internet without visiting a website if you don't have a firewall.

      • Most apps can be used directly in the web browser (examples: Gmail, youtube, yelp). I don't need to have a lot of stuff cluttering my phone's desktop.

        • by nasch ( 598556 )

          Or you could use Android, and install as many apps as you want (or have room for anyway) and only put the shortcuts you want on your desktop. Or install a launcher that doesn't put any apps at all on the desktop.

  • Comment removed based on user account deletion
    • by nasch ( 598556 )

      My question is this. Is it our turn to laugh at, well, NOT ALL Android fanboys, but the ones who take to places like this and mock Apple, Inc. product users whenever there's a problem in Appletania, is now our time to point and laugh?

      You can always do that.

  • The only password manager to work securely is one run by the OS maker, who use an undocumented API. This sounds very shades of the mid-90's.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...