A design issue in the way some popular password manager tools verify legitimate Android apps could be harnessed to help attackers launch successful phishing attacks on users.
Researchers with the University of Genoa and Eurecom inspected popular mobile password tools that sync with Android applications and concluded that the way these tools verify apps could allow an attacker to easily slip by with a spoofed app and scoop up victims’ credentials.
“The number of design issues and the variety of vulnerable heuristics that we have identified in leading password managers suggest that the insights offered in this paper are not well-understood by the community,” researchers wrote in a report released Wednesday. “The possibility of abusing Instant apps and hidden fields make these attacks even more problematic and practical.”
Researchers investigated four leading third-party mobile password manager apps – Keeper, Dashlane, LastPass, and 1Password.
Many mobile app password managers include advanced sync features which allow users to suggest website-related credentials from associated apps. These features utilize the app package name as the main abstraction to identify an app with its associated website.
However, this is where the issue lies: some apps misplace trust in an app package name (or other metadata) even if the app isn’t the actual legitimate app. As a result, it is possible for a malicious app to systematically lure password managers to leak credentials associated with arbitrary attacker-chosen websites.
An attacker could spoof an app package name for an app, and mimic a legitimate app, when syncing with a mobile password manager. The manager would then use that package name as the main way to identify the app – with no other verification – paving the way for the attacker to easily obtain passwords.
“These attacks effectively make mobile phishing more practical: differently than all previous works, the user is not even asked to type her credentials; the user is just asked to allow password managers to autofill the credentials on her behalf,” researchers said in a report.
Password Manager Response
LogMeIn, the owner of LastPass, told Threatpost that mitigations for the issue have been released as the app now requires explicit user approval before filling any unknown apps.
“This particular vulnerability in Android’s app ecosystem was brought to our attention by the University of Genoa, Italy, and EURECOM researchers through our Bug Bounty Program,” a spokesperson said. While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report… and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.”
Keeper also responded to the report on its blog, saying it has added a popup message when a user links an app to warn them that Keeper cannot validate the authenticity of the app.
“Keeper never auto-fills login and password credentials into any application without the user’s consent,” the company said in its post.
At this time, both Keeper and LogMeIn said they have no indication of any sensitive user data being compromised or phishing attacks being launched through their platforms.
A spokesperson at 1Password told Threatpost that the company is mitigating the issue by implementing Digital Asset Links “in a privacy preserving way.” Android digital asset links enable an app to make public, verifiable statements about other apps, making it more transparent about which apps are legitimate.
“What steps are we taking now? The answer is that we are moving forward with what the Simone Aonzo and his co-authors recommended: Using Digital Asset Links (DAL). We had not done so earlier because the tools for doing so were not as robust as they have now become… We don’t want someone tricking 1Password into tricking a user, and so we will not depend on unreliable and potentially malicious information from apps,” said the 1Password spokesperson.
DashLane did not respond to requests for comment from Threatpost.
Further Design Faux Pas
Another feature called Instant Apps allows users to try Android apps by just clicking on one – without fully installing the app. Developers are asked to upload small portions of their Android app and to associate a URL pattern to it.
However, an attacker can abuse the Instant Apps technology remotely because it is difficult for users utilizing this feature to distinguish between real apps and malicious ones when trying the app.
Therefore, an attacker could create a full-screen Facebook login view on an app, deceiving the victim to believing that the app is actually the social media platform and inputing their credentials into the app.
“This technology, while indeed a very useful Android feature, can make phishing attacks more practical,” researchers said. “The key observation is that Instant Apps provide an attacker the ability to gain full control over the device UI, without the need of installing an app.”
“Secure-by Design” API
Researchers stressed that the key design issue in the app syncing mechanisms is that the apps use package names as their main verification method. This puts the “daunting task” on developers to map apps to their associated domain names – and “given the number of security issues and misplaced trust assumptions we have identified in leading password managers, we believe third-party developers should not be asked to implement this critical step.”
Instead, the research team suggested a new secure-by-design API, which would essentially directly provide a list of domain names that a given app is legitimately associated to for password managers and other tools.
“We propose a new API that implements a secure-by-design mechanism by using domain names as the only abstraction that password managers need to interact with,” they said. “Since credentials are created for websites, we argue this is a better abstraction level.”
Google didn’t respond to a request for comment from Threatpost.