If you use a password manager to store website login details on your phone, you might be at risk of falling foul of cybercriminals. Security researchers claim to have found serious vulnerabilities in nine popular Android password monitor apps, all of which threatened to exposed users' information.
Password managers provide a central app for storing login credentials such as usernames and passwords for websites and other online services. This removes the need for users to memorise several sets of login information for various websites: instead, when logging into a secure website users simply enter a "master" password for the app and their log-in information is filled in automatically.
Yet experts have shown that this convenience comes at the expense of security. Researchers from the Fraunhofer Institute for Secure information Technology in Germany uncovered serious security flaws in nine password mangers freely available on the Android store, including LastPass, 1Password, My Passwords, Dashlane Password Manager, Informaticore's Password Manager, F-Secure KEY, Keepsafe, Keeper, and Avast Passwords.
In some instances, the researchers found that the master passwords were stored in plaintext within the apps without encryption. In others, the master password was contained in the app's source code, meaning anyone able to access this could also access the information stored in the password manager.
Other apps were found to be susceptible to clipboard sniffing. This is essentially when apps use the Android clipboard to fill out login information, pasting login information from the clipboard into auto-fill forms. If this information isn't properly scrubbed from the clipboard afterwards, it can potentially be "sniffed out" by malicious apps.
The researchers labelled the results "extremely worrying". All of the apps analysed in the study have been downloaded at least 100,000 times, with others boasting install bases in the millions.
Since the study was published, all of the vulnerabilities highlighted are reported to have been fixed by the app developers. Regardless, the researchers concluded that password managers did not provide adequate protection for users and suggested they in fact put users at greater risk of having their private information compromised.
"Password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users' confidence and expose them to high risks," they wrote.
"While this shows that even the most basic functions of a password manager are often vulnerable, these apps also provide additional features, which can, again, affect security. We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using hidden phishing attacks."
In January, a study by security experts in Australia discovered that more than a third of VPN apps available for Android contained malware or other forms of malicious content.