A password manager is expected to be secure, right? Just because it is expected does not mean that is necessarily the truth. There are password managers on Android that have a security flaw in which usernames and passwords can be picked up. It happens when the password manager uses the device’s clipboard to enter information. The security flaw was identified in early 2013 and a fix has yet to be issued.
The blame is not on individual password managers but rather Android itself. Other applications, such as proof of concept ClipCaster, can swoop in and snag usernames and passwords with ease. They do not require any permissions when installing, so it is not like there is anything to be weary of. An app like ClipCaster silently takes what was attached to the clipboard.
One password manager known to be affected is LastPass. There are others, but CEO Joe Siegrist has stepped forward to make it clear that this is a problem within Android: “This is an OS-level issue that impacts everything running on Android. If you use the clipboard to copy any data, a malicious app could obtain it—like installing a clipboard monitoring software on Windows or a keylogger on Windows. You can compromise your security by installing bad software.” Siegrist follows by advising users of password managers to only install apps they trust.
Google does have measures in place to scan apps for authenticity, but that can only go so far. If you are feeling uneasy about how secure your device is, go ahead and install a mobile security app. One of the best out there is Lookout, but there are other options such as Avast or AVG.
Source: Ars Technica
Come comment on this article: Password managers on Android are not as secure as one would think
Visit TalkAndroid for Android news, Android guides, and much more!
