1Password for Android Autofill vulnerability?
When I recently opened the 1Password app on my Android device, I was greeted by a pop-upmessage:
One more thing!
Enhance your 1Password experience by enabling the following...
[And one of the options is:]
Autofill: Fill and save usernames and passwords in apps.
However, I also recently read an article on the Sophos NakedSecurity blog:
Android password managers vulnerable to phishing apps
The article discusses a recently discovered vulnerability and concludes with a suggestion to turn the autofill feature off.
So we have conflicting advice
The 1Password message is suggesting that we turn autofill on to enhance our 1Password experience, and the NakedSecurity team is suggesting we turn the autofill feature off in order to protect against this vulnerability.
Any comments from your team?
Here are some of the relevant passages from the NakedSecurity article:
"Researchers have discovered that several leading Android-based password managers can be fooled into entering login credentials into fake phishing apps.
"Password managers can be used to create, store, enter and autofill passwords into apps and websites. As well as allowing users to maintain scores of strong passwords, password managers can also provide some defence against phishing – their autofill features will enter passwords on sites they’re associated (and their mobile apps), but not on fakes.
"The University of Genoa and EUROCOM’s Phishing Attacks on Modern Android study explores the difference between accessing a service through its mobile app and accessing it through its website on a desktop browser.
"With desktop browsers, when a site is visited for the first time the password manager creates an association between its domain (verified by its digital certificate) and the credentials used to access it.
"However, when somebody uses the website credentials to log in to an app, the process of verifying the app is more complicated and potentially less secure.
"The main way password managers tell good apps from bad apps is by associating the website domain for that app with the app package name, a metadata ID checked using static or heuristically-generated associations.
"The flaw is that package names can be spoofed – all the attacker has to do is create a fake app with the correct package name and the password manager will trust it enough to present the correct credentials.
"The researchers found that several popular password managers were vulnerable to this kind of mapping weakness – LastPass, 1Password, Dashlane, and Keeper – with only Google Smart Lock (which isn’t primarily a password manager) able to resist...."
[The article concludes with:]
"Naked Security believes that using a password manager is still one of simplest and most effective computer security steps you can take, and closer integration with mobile apps makes using a password manager easier.
"You are much more likely to be burned by password reuse than by an autofill attack on a fake app. However, if you are concerned about this kind of attack, or similar attacks that exploit autofill features using hidden password fields, don’t abandon your password manager, just turn autofill off."
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided