Security Issues Found in Nine Password Managers for Android (LastPass, Dashlane, …)

Considering how often major security problems with password managers seem to turn up, you’d probably be better off just writing down your passwords down on the back of a business card.

Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research. Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such as password generation, automatic sign ins, or the saving of important data such as Credit Card numbers or Pins.

A recent study by the Fraunhofer Institute looked at nine password managers for Google’s Android operating system from a security point of view.  The researchers analyzed the following password managers: LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore’s Password Manager, F-Secure KEY, Keepsafe, Keeper, and Avast Passwords.

Some of the apps have more than 50 million installations, and all at least 100,000 installations.

Password Managers on Android security analysis

android password managers

The team’s conclusion should have anyone worried who implements a password manager on Android. While it is unclear whether other password manager applications for Android have vulnerabilities as well, there is at least a chance that this is indeed the case.

The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.

At least one security vulnerability was identified in each of the apps the researchers analyzed. This went as far as some applications storing the master key in plain text, and others using hard-coded cryptographic keys in code. In another case, installation of a simple helper application extracted the passwords stored by the password application.

Three vulnerabilities were identified in LastPass alone. First a hard-coded master key, then data leaks in browser search, and finally a vulnerability affecting LastPass on Android 4.0.x and lower which allows attackers to steal the stored master password.

  • SIK-2016-022: Hardcoded Master Key in LastPass Password Manager
  • SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
  • SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager

Four vulnerabilities were identified in Dashlane, another popular password manager application.  These vulnerabilities allowed attackers to read private data from the app folder, abuse information leaks, and run an attack to extract the master password.

  • SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
  • SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
  • SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
  • SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser

The popular 1Password application four Android had five vulnerabilities including privcacy issues and password leaking.

  • SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
  • SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
  • SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
  • SIK-2016-041: Read Private Data From App Folder in 1Password Manager
  • SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager

You can check out the full list of apps analyzed and the vulnerabilities on the Fraunhofer Institute website.

Note: All disclosed vulnerabilities have been fixed by the companies who develop the applications. Some fixes are still in development. It is recommended that you update the applications as soon as possible if you run them on your mobile devices.

The conclusion of the research team is quite devastating:

While this shows that even the most basic functions of a password manager are often vulnerable, these apps also provide additional features, which can, again, affect security. We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using “hidden phishing” attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.

Link to Original Content

Tags: , , ,

Comments are closed.