The team of security researchers associated with Darmstadt, Germany-based Fraunhofer Institute for Secure Information Technology, has discovered 26 serious security flaws in nine major Android password managers.
According to TeamSIK (Security Is Key) Portfolio, these flaws are so severe that user credentials can easily be exploited. However, this exploitation is possible by malicious cybercriminals without needing root permission.
The list of analysed apps includes MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords, and 1Password.
APPS FEATURED DIFFERENT KINDS OF FLAWS AS BELOW
♠ Storage of master password in plain text
♠ Encrypting master password but leaving encryption key hard-coded in the app’s source code
♠ Leaving user passwords in the phone’s shared clipboard space, where other apps could retrieve them
♠ Some password manager apps were vulnerable to data residue attacks (password recovery after uninstallation of password manager app)
♠ Apps were vulnerable to browser autofill phishing attacks
♠ Some password manager apps came with their own browser that was leaking user data
Furthermore, some of these apps store the master password in plain text format and reveal the encryption keys in coded form. While some follow such weak security mechanisms that the passwords can be accessed without social engineering. That means by cyber-criminals through installing a malicious app on the device.
According to TeamSIK report, most of the 26 inherent issues were patched by the developers after one month of their reporting except for Avast that did not release a patch for the security flaws.
Nevertheless, by March 1, Avast had also patched its product, and released latest versions to mitigate all issues.