According to the latest findings from TeamSIK, a group of security researchers associated with Darmstadt, Germany-based Fraunhofer Institute for Secure Information Technology, a majority of the popular Android password managers are plagued with serious security flaws. As per the information revealed by TeamSIK (technical details), these weaknesses are so severe that user credentials can easily be exploited by malicious cybercriminals without needing root permission.
The team of researchers assessed nine of the hugely popular Android password managers that are available to be downloaded on Google Play. This was identified after analyzing the nine password managers including Erkan Molla’s My Passwords, LastPass, F-Secure KEY, Password Manager from Informaticore, Avast Passwords, 1Password, Dashlane Password Manager, Keeper and Keepsafe that these contained vulnerabilities of different levels from low to medium and high. It is worth noting that so far these nine apps have been downloaded 100,000 to 50 million times cumulatively,
The companies responsible for developing these apps have promoted them as being highly secure. However, TeamSIK stated that they identified 26 inherent issues most of which were patched by the developers after one month of their reporting except for Avast that did not release a patch for the security flaws. The team of researchers believes that the results they acquired are quite concerning because these apps claim to protect passwords of Android users but in reality, these “do not provide enough protection mechanisms for the stored passwords and credentials.”
“Instead, they abuse the users` confidence and expose them to high risks,” stated TeamSIK.
Some of these apps are vulnerable because they store the master password in plain text format and reveal the encryption keys in coded form while some follow such weak security mechanisms that the passwords stored by the users can be accessed without much difficulty or social engineering by cyber-criminals through installing a malicious app on the device.
Furthermore, it was discovered that these apps are also vulnerable to data residue attacks and clipboard sniffing and a majority of flaws can be exploited without acquiring root permissions. For instance, Keeper and Keepsafe are two of the most popular apps, but these contained one low intensity and two medium intensity flaws.
Password Manager app by Informaticore contains high-level security flaws and despite storing the master password in an encrypted format, the app’s code reveals the encryption key as it remains the same for every installation. The same flaw was detected in the LastPass app. It was also noted that features like autofill or default web browsers in the app might also lead to the introduction of security flaws and might cause privacy invasion.
If you are using any of these apps be careful and don’t trust such apps blindly.