Security issues found in nine password managers for Android (LastPass, Dashlane..)


Stability scientists of the Fraunhofer Institute observed serious stability problems in nine password managers for Android that they analyzed as aspect of their study.

Password managers are a popular selection when it comes to storing authentication information and facts. All assure secure storage possibly locally or remotely, and some might incorporate other functions to the mix these kinds of as password era, computerized indicator ins, or the preserving of significant facts these kinds of as Credit Card numbers or Pins.

A current research by the Fraunhofer Institute looked at nine password managers for Google’s Android working procedure from a stability place of perspective.  The scientists analyzed the next password managers: LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore’s Password Manager, F-Safe Critical, Keepsafe, Keeper, and Avast Passwords.

Some of the apps have much more than 50 million installations, and all at minimum a hundred,000 installations.

Password Supervisors on Android stability evaluation

The team’s conclusion ought to have anyone worried who implements a password manager on Android. Although it is unclear regardless of whether other password manager apps for Android have vulnerabilities as properly, there is at minimum a prospect that this is without a doubt the circumstance.

The over-all final results have been really worrying and disclosed that password manager apps, even with their promises, do not provide more than enough safety mechanisms for the saved passwords and credentials. In its place, they abuse the users` confidence and expose them to superior dangers.

At minimum a person stability vulnerability was determined in each and every of the apps the scientists analyzed. This went as far as some apps storing the master essential in simple textual content, and many others making use of tough-coded cryptographic keys in code. In an additional circumstance, set up of a simple helper application extracted the passwords saved by the password application.

A few vulnerabilities have been determined in LastPass on your own. Initial a tough-coded master essential, then facts leaks in browser search, and lastly a vulnerability affecting LastPass on Android four..x and decreased which enables attackers to steal the saved master password.

  • SIK-2016-022: Hardcoded Grasp Critical in LastPass Password Manager
  • SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
  • SIK-2016-024: Read through Private Day (Saved Masterpassword) from LastPass Password Manager

4 vulnerabilities have been determined in Dashlane, an additional popular password manager application.  These vulnerabilities authorized attackers to go through private facts from the application folder, abuse information and facts leaks, and operate an assault to extract the master password.

  • SIK-2016-028: Read through Private Data From App Folder in Dashlane Password Manager
  • SIK-2016-029: Google Search Facts Leakage in Dashlane Password Manager Browser
  • SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
  • SIK-2016-031: Subdomain Password Leakage in Inner Dashlane Password Manager Browser

The popular 1Password application 4 Android had five vulnerabilities such as privcacy problems and password leaking.

  • SIK-2016-038: Subdomain Password Leakage in 1Password Inner Browser
  • SIK-2016-039: Https downgrade to http URL by default in 1Password Inner Browser
  • SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
  • SIK-2016-041: Read through Private Data From App Folder in 1Password Manager
  • SIK-2016-042: Privacy Concern, Facts Leaked to Seller 1Password Manager

You can check out out the whole listing of apps analyzed and the vulnerabilities on the Fraunhofer Institute web page.

Notice: All disclosed vulnerabilities have been fixed by the providers who build the apps. Some fixes are nevertheless in development. It is advised that you update the apps as shortly as doable if you operate them on your cellular units.

The conclusion of the study team is quite devastating:

Although this shows that even the most primary capabilities of a password manager are frequently susceptible, these apps also provide further functions, which can, again, affect stability. We observed that, for case in point, car-fill capabilities for apps could be abused to steal the saved secrets from the password manager application making use of “hidden phishing” attacks. For a superior assistance of car-filling password types in net pages, some of the apps provide their have net browsers. These browsers are an further source of vulnerabilities, these kinds of as privateness leakage.

Now You: Do you use a password manager application? (through The Hacker News)

Ghacks needs you. You can uncover out how to assistance us here or assistance the site immediately by starting to be a Patreon. Thank you for being a Ghacks reader.

The write-up Stability problems observed in nine password managers for Android (LastPass, Dashlane..) appeared first on gHacks Technology News.