Password-Manager Apps


ABOUT THE PROJECT

There are different policies for the generation of secure passwords. However, one of the biggest challenges is to memorize all these complex passwords. Password manager applications are a promising way of storing all sensitive passwords cryptographically secure. Accessing these passwords is only possible if the user enters a secret master password. At first sight, the requirements for a password manager application seem simple: Storing the passwords of a user centralized in a secure and confidential way. However, how is the reality on mobile, password manger applications, especially on Android? Applications vendors advertise their password manager applications as „bank-level“ or „military-grade“ secure. However, can users be sure that their secrets are actually stored securely? Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?

In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.

We found several implementation flaws resulting in serious security vulnerabilities. Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code. Consequently, attackers can easily circumvent the crypto algorithm altogether and thereby gain access to all of the user’s data. In other cases, we could simply access all “securely protected passwords/credentials” with the help of an additional app. Once installed on the device, this malicious app extracts all passwords/credentials in plaintext and sends them to the attacker. In yet another case, we could use a so-called data residue attack to access the master key of an application. In most of the cases, no root permissions were required for a successful attack that gave us access to sensitive information such as the aforementioned master password. Furthermore, many of the apps completely ignore the problem of clipboard sniffing, meaning that there is no cleanup of the clipboard after credentials have been copied into it.
While this shows that even the most basic functions of a password manager are often vulnerable, these apps also provide additional features, which can, again, affect security. We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using “hidden phishing” attacks. For a better support of auto-filling password forms in web pages, some of the applications provide their own web browsers. These browsers are an additional source of vulnerabilities, such as privacy leakage.

All of our 26 findings are provided in detail in the following:

!! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!

MyPasswords (App-Link)

Informaticore Password Manager (App-Link)

LastPass Password Manager (App-Link)

Keeper Passwort-Manager (App-Link)

F-Secure KEY Password Manager (App-Link)

Dashlane Password Manager (App-Link)

Hide Pictures Keep Safe Vault (App-Link)

Avast Passwords (App-Link)

1Password – Password Manager (App-Link)


PUBLICATIONS

Extracting All Your Secrets: Vulnerabilities in Android Password Managers
Stephan Huber, Siegfried Rasthofer
In: DEF CON 25, July 2017. (slides)

The Key Under the Doormat: Design Flaws and Vulnerabilities in Android Password Manager Applications
Stephan Huber, Siegfried Rasthofer, Steven Arzt
In: AppSec-Eu 2017, May 2017. (slides)

Bypassing Android Password Manager Apps Without Root
Stephan Huber, Siegfried Rasthofer, Steven Arzt
In: Hack In The Box, April 2017. (slides)