Password Managers have become increasingly important to smartphone users as they provide a high level of convenience to users for filling out the information on a web page or application instead of typing out everything.
Additionally, there is no need for users to remember a lot of different account passwords and usernames.
However, a type of credential stealing method has been identified that does not involve any kind of social engineering attacks or malicious code. Threat actors can use legitimate Autofill service options provided by Android to steal credentials from users.
Android’s auto-filling process is insecure when using third-party authentication to fill out forms online. Autofill service enables applications to utilize the built-in or external password managers for filling out login forms.
This particular credential-stealing method exists in the Webview controls provided by Android for applications. Webview controls in Android enable applications to render their webview instead of opening the main browser, which gives a seamless experience to users.
Moreover, this Webview also allows applications to have an in-built browser-type process that can also be used for logging in to other websites or applications using the OAuth protocol method, such as Login with Google, Microsoft, etc.
WebView Becomes a Risk
As these apps can provide a third-party authentication inside the webview, the autofill service tries to fill in the information from the password manager using the “Autofill” service.
This service has been discovered to be leaking the credentials to the applications rather than having secure authentication inside the webview.
In other words, if a user uses the webview inside an application and tries to log in using “Login with Google, Microsoft,” etc, the application renders the authentication page and asks for an “Autofill” from the keyboard for filling out the information.
When this process takes place, the autofill leaks the auto-filling credentials stored inside Android Password Managers to the application that allows the webview. Threat actors can use this method to steal credentials without using any kind of malicious code or phishing attacks.
This research paper was presented in the BlackHat Europe of 2023. This attack was reported to the vendors and patches have been rolled out to the affected versions.
PM | Native fields present in (App View) | |||
2 | 1 | 1 | 1 | |
Both username, password | Only username | Only password | Only none | |
Google Smart Lock | U+P | U/P | U/P | U/P |
Dashlane | U+P | U/P | U/P | U/P |
1Password | ✗ | ✗ | U/P | U/P |
LastPass | U+P | U/P | U/P | U/P |
Enpass | U+P | U/P | U/P | U/P |
Keepass2Android | U+P | U/P | U/P | U/P |
Keeper | U+P | U/P | U/P | U/P |
✗: Autofilling not working at all.U+P: App View accessed and stole both username and passwordU/P: App View accessed both username and password, stole credential of choice |
For more information on this attack, the presentation from BlackHat Europe provides information about the structure, attack, remediation, and other information.