Android autofill privileges and privacy implications

swiftopt
swiftopt
Community Member

Hello, I'm a new user trying out 1Password and in particular your Android app. (Apologies if the below has been asked already; I searched and was very surprised not to find an answer)

When I went to turn out Autofill, Android issued a fairly ominous warning - "1Password will be able to see what's on your screen in all apps to determine what can be filled in automatically". It's hard for me to know the implications of this, so I'd appreciate your comments on what actual access to my phone this implies, as I would generally never click 'Yes' to something like this.

In particular,
1. What information does 1Password's app read off of app screens in its current form? How is this information processed / stored / used?

  1. What are the 'worst case' scenario implications of this access? In the event that malicious code were introduced into 1Password's app (unlikely, I appreciate, but not impossible), if I'd granted it this level of permission, what could it do - presumably capture anything I type into a form anywhere on my phone? Anything beyond that, e.g. could it read other non-form content off my phone screen as I used it?

  2. Is there any way to ring-fence off specific apps away from 1Password's autofill access?

  3. If I do decide the possible security / privacy implications of the above do not justify using 1Password's autofill - are there any other options? Copy / paste is out because of clipboard sniffing attacks. I'd be happy to switch to the 1Password keyboard when I need to enter a password, but that's being deprecated. Any other options?
    (I did see that the Android app supports drag-and-drop but haven't tried it yet - how is that implemented and are there any security implications there? In particular, can you confirm that drag-and-dropped passwords don't hit the Android clipboard?)

Very much appreciate any thoughts you can share, and thank you for your time!


1Password Version: Android 7.5
Extension Version: Not Provided
OS Version: Android 10
Sync Type: Not Provided
Referrer: forum-search:Android autofill privileges and privacy implications

Comments

  • peri
    edited April 2020

    @swiftopt Accessibility services are a way to monitor what's on your phone in order to help you in various ways. So any accessibility service you use will constantly be monitoring your screen in order to interpret what you're seeing. For instance, if you use the TalkBack service, it will constantly be scanning your device's screen in order to relay what's on it for vision impaired users. This is how it reads text from your screen out loud.

    1Password's accessibility service is also monitoring your screen, which is how it can find login fields on a given page and know what to fill into. This is why you're seeing that warning, which you'll see when using any accessibility service. We're not storing this info, as it's just used to determine where login fields are. Once 1Password finds a login field, it will show the Autofill with 1Password prompt, and then allow you to fill into that page.

    As to your second question, accessibility services do scan your screen constantly, which is why it's important to trust the developers of any accessibility service you're using. As 1Password has access to your most sensitive data, we understand the importance of security. That said, as far I'm aware, accessibility services can be abused for things like capturing things you've typed and things you've viewed. This is why Google has recently cracked down on what apps can have accessibility services.

    If you're concerned about the topic, there are lots of studies out there on the subject. However, I'd also encourage you to take a look at our security model. I think it's important to only use apps you trust, and I think 1Password is a very trustworthy app.

    Currently, there's no way to exclude any apps from Autofill or Accessibility, but I'll pass your request for this feature on to our development team. That said, I'd like to clarify the distinction between Autofill and Accessibility. 1Password supports both, but your questions only apply to Accessibility. You can enable Autofill and leave Accessibility disabled if you like, as the two work completely independently of one another. Autofill is provided by the system, and we built Accessibility to fill in where Autofill isn't supported, like in Chrome and other browsers, for instance. Accessibility is what you're seeing the warning for, as this doesn't apply to Autofill.

    Drag and drop does not include use of the clipboard. With drag and drop, you're taking text directly out of 1Password and placing it into a field of your choosing, so it's not vulnerable to sniffing the way copying and pasting is. Further, with Android 10, Google has restricted access to the clipboard, so you can feel a little more secure in using the clipboard now, knowing that it's not quite the no man's land it used to be.

  • swiftopt
    swiftopt
    Community Member

    @peri Thank you for your response. One immediate follow-up - I was actually talking about Autofill and not Accessibility. I.e. my phone shows that warning when I try to activate the Autofill service. Does that change anything in your answer?

    In particular I'm confused about...

    1Password supports both, but your questions only apply to Accessibility.

    ... since as I say, the security warning I get is when I try to activate Autofill. (I have no interest in Accessibility as all the apps with which I want to use 1Password work with Autofill).

    Would very much appreciate if you could clarify.

    Also,

    As 1Password has access to your most sensitive data, we understand the importance of security. I would assume that if a malicious attacker were to try to insert code into 1Password, it'd be able to do a lot more damage than hijacking our accessibility service.

    This is a fair point but my plan with 1Password was only to use it for my less sensitive data - for core work and personal services I do commit passwords/phrases to memory, putting limits on the damage a password manager compromise could do. Hence my concern that if 1Password was compromised, my passwords typed into other fields on my phone could be compromised as well if I give Autofill privileges to the app

    Can you comment on the timeline for deprecation of 1Password Keyboard? The more I think about it, that would be by far my preferred solution (I can switch keyboards easily and quickly on my phone and could use it just for auto-type without allowing 1Password any privileges) but I do understand that's on its way out. Is there a sense for when the feature will be removed?

  • Sorry, @swiftopt. I thought you were referring to this warning:

    As to Autofill security, specifically, please have a look here:

    About Autofill security in 1Password for Android

    We decided not to remove the keyboard in the near future, as we realize how important it is for a lot of our users. We've decided to focus on improving Autofill and Accessibility so that it won't be a pain point for customers when we remove the keyboard. So, I don't have a timeline on that. Keep in mind that the keyboard runs on the accessibility service, so you'd need to have Accessibility enabled to use the keyboard.

    As to memorizing your passwords, I'd strongly recommend against that. Any password manager is safe than reusing passwords, and creating your own passwords (rather than randomly generating them. We go into more detail on that on our blog:

    Are password managers safe?

  • swiftopt
    swiftopt
    Community Member

    Hi @peri, thanks very much for the quick reply. I was instead talking about this warning:

    I had reviewed the link you've provided...

    About Autofill security in 1Password for Android

    ... before posting my questions. I found that it didn't answer them. I'm not concerned about Autofill leaking my secrets from 1Password, but rather about the access that I'm giving 1Password to my phone, which that page doesn't discuss at all.

    So in the Autofill framework, I'm still curious about my original questions:
    1. What data specifically does the 1Password app read off the screen, as currently written? And how does the timing work out on this? (E.g. if I type in a password and submit it, 1Password then prompts me as to whether I want to save that password - but has the 1Password app already read / stored, even temporarily, the password? Or is the password only released to the 1Password once I click the 'Save' button)?
    2. What data could it (or any malicious code injected into it) theoretically read off the screen if I activate the Autofill service? I.e. is it as catastrophic as the Accessibility framework in the event of a compromise, or any safer from this perspective?

    A couple other quick points:

    Keep in mind that the keyboard runs on the accessibility service, so you'd need to have Accessibility enabled to use the keyboard.

    Doesn't seem to be true on my phone? I have Accessibility service disabled on my phone but I still seem to be able to use the 1Password keyboard for manual filling, which is functional albeit clunky.

    Great that you're not deprecating the keyboard any time soon. The bright purple deprecation warning is a pain though. Could you not add some kind of "I understand, don't show again" option?

    As to memorizing your passwords, I'd strongly recommend against that. Any password manager is safe than reusing passwords, and creating your own passwords (rather than randomly generating them

    I'm a bit surprised that you've jumped right to assuming the worst here just because I mentioned memorizing passwords? To be clear, for my 5 highest security personal / work accounts, I use Keepass to randomly generate unique strong passwords (and Diceware to offline-generate one 7 word passphrase), then commit them all to memory and don't record them elsewhere. Those are the passwords that wouldn't go into a password manager, and hence are the ones I'm interested in knowing if / to what degree I'm potentially exposing by giving 1Password Autofill permissions on my phone.

  • swiftopt
    swiftopt
    Community Member

    (Apologies, to be clear, by

    I use Keepass to randomly generate unique strong passwords ... then commit them all to memory and don't record them elsewhere

    I mean I use Keepass's password generator function to generate the passwords with no file loaded and then quit without saving. So not saved in Keepass and wouldn't plan to save in 1Password either. Just realized that was worded ambiguously so wanted to clarify!)

  • Hey @swiftopt! Peri is away today, so I’ll jump in here to answer your questions.

    1. What data specifically does the 1Password app read off the screen, as currently written? And how does the timing work out on this?

    2. What data could it (or any malicious code injected into it) theoretically read off the screen if I activate the Autofill service?

    The Autofill framework on Android is designed with respect to user security and privacy. When this feature is enabled with 1Password, the Autofill service will analyze your screen to determine if there is an opportunity to fill. If the service believes something can be filled, it will process a fill request to 1Password where 1Password can then analyze the provided details from the Autofill service and respond back if it identifies any known fields (username, password or one-time password fields).

    A fill request usually happens immediately after a new screen is loaded. This is before you get a chance to type anything into a field. A fill request can also be manually started by long pressing on a field and tapping Autofill from the contextual menu.

    The information passed to 1Password by the Autofill service is carefully filtered and is just enough for 1Password to identify fields for filling. If you fill into an app, 1Password will store the signature of that app in the item so that item appears as a match the next time you fill into the same app again. These show under Linked Apps on the item details screen and apps can be unlinked by editing the item.

    To give you an example, here is some of the information provided to 1Password during a fill request. It’s important to note that 1Password does not store any of this information during the fill request and is discarded when the request is complete.

    • Identity of the app (name and package name)
    • Website and limited HTML source data in supported Autofill browsers
    • Texts on the screens including user inputted text, headers, and text field labels
    • Internal description of fields such as their input types, resource name, autofill flags

    A save request happens after a fill request when 1Password identifies username and password fields, but you don’t actually fill using 1Password. The Autofill service will capture any manually typed values in the matching fields and ask whether you want to save them into 1Password. Only when you choose to save them, 1Password will learn the credentials and save it into an item. Otherwise, those credentials are not shared with 1Password.

    I have Accessibility service disabled on my phone but I still seem to be able to use the 1Password keyboard for manual filling, which is functional albeit clunky.

    Sorry for the misinformation here.

    Automatic filling will not work without the 1Password accessibility service when using the 1Password keyboard. This is where 1Password will fill into the fields directly after you selected a login to fill using the keyboard.

    However, you are right, manual filling is available without the accessibility service using the keyboard. You’ll just have to manually select the field and tap on the fill actions that appear above the keyboard to fill.

    Great that you’re not deprecating the keyboard any time soon. The bright purple deprecation warning is a pain though.

    I’ll share that with our team! Thanks for that feedback.

    I hope that answers all of your questions. Let us know if you have any others.

  • roy_orbison
    roy_orbison
    Community Member

    @saad Please don't ever drop keyboard support, there isn't one situation I've encountered where credentials were requested but couldn't be typed. Conversely, there are plenty of times where smart apps have done things for me that I didn't want, so I never use the accessibility service.

  • Hey @roy_orbison. We've decided not to remove the keyboard from 1Password 7, so you don't need to worry about that. Can you clarify your issue with the accessibility service? I'm not sure I understand.

  • roy_orbison
    roy_orbison
    Community Member

    @peri I just don't like automatic form filling/submission. There are occasions it's not desired or does the wrong thing and avoiding those is worth the few extra taps/keystrokes, to me.

  • @roy_orbison I'm sorry, I may not be fully understanding you. While both Autofill and Accessibility allow you to select a Login for filling, neither method automatically fills forms without your input. That is, you'll see a prompt, and then you'll need to tap it in order for 1Password to fill. If you notice situations where the Autofill prompt is appearing in fields it shouldn't be (i.e. non-login fields), please let us know what apps you're noticing that in so we can look into it.

This discussion has been closed.