API omission renders Android password managers insecure

A study by students at the University of Hannover has found that password managers on Android smartphones are not particularly secure. The researchers analysed 13 free and 8 proprietary password managers on a Galaxy Nexus running Android 4.0. They found that Android does not make it easy for developers to write a genuinely secure password manager, as it lacks a secure API to deliver passwords between applications.

The researchers found that the rules for password managers on smartphones differ from those for their desktop counterparts. Unlike their desktop equivalents, smartphone password managers are unable to hook directly into the browser and also have to be able to be used by apps. Because Android doesn't provide an API for integrating password managers into browsers or apps, developers use an insecure workaround – they use the operating system's clipboard to deliver login credentials to the browser and to apps.

Users also use the clipboard to copy login credentials from password managers and paste them into apps and the browser. This represents a problem, since the clipboard is a global resource, which can be accessed by any app without requiring specific permissions. Even worse, there is a system-wide notification service which enables apps to be notified and listen in every time the clipboard content changes:

android.content.ClipboardManager.OnPrimaryClipChangedListener

This can be exploited by malware to eavesdrop on all passwords transferred via the clipboard. The researchers wrote a demo program, PWSniff, which implemented precisely such functionality. PWSniff runs as a background process and does not require any permissions to go about its business. The program sniffs out all required data from the smartphone; all a malware handler would have to do is put them together in the right combination.

If, for example, a known password manager is in the foreground when text is being copied, the clipboard contents are likely to be either a URL, an account name or a password. The next app activated by the user is likely to be the target for the data. If the sniffer has the GET_ACCOUNTS permission, it will also be able to read user names from Android's AccountManager. From currently open connections, the sniffer can also determine which server the password is intended for. This information is accessible to all apps using ProcFS (via /proc/net/tcp). This leaves only forwarding the data collected to an external server. PWSniff achieves this without even requiring the internet access permission. It does so by waiting for the display to turn off and then opening an appropriate URL in the Android browser.

In light of their research, the researchers contacted password manager developers and asked them why they had used the clipboard in their password managers. All but one of those surveyed stated that in striking a balance between security and user-friendliness, they had tended towards the latter. One argued that the security offered was still better than the increased password reuse which was likely to occur in the absence of a password manager. All were critical of the lack of support for third party password managers in Android.

That the developers have a point and that demand exists was confirmed by the researchers during further analysis. They found that password managers were used for two reasons: firstly, users wanted to take control of the large number of different login credentials in order to improve security, and secondly, users wanted software which was not controlled by Google because of concerns that the encryption used by the Android browser was insecure and that Google would secretly collect and store all their login credentials.

(fab)