A group of security researchers called TeamSIK has published a security assessment of nine popular password management applications on Android devices and found them all to contain security vulnerabilities.
The group, who belong to the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, Germany, said: "The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials.”
The team examined My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords, and 1Password.
The researchers found one or more security vulnerabilities for each of the password managers, and the group exercised responsible disclosure by alerting each respective company which makes it of the vulnerabilities they had found. All but three vulnerabilities are now fixed.
The advice, as ever, is to patch whichever password manager you use as soon as possible to stay safe, as the paper released contains all the information needed to carry out cyber-attacks based on the vulnerabilities disclosed.
The vulnerabilities identified are a mixture of severities, such as some which stored the master password for the app in plain text and using hard-coded cryptographic keys in application code.
Other slightly less serious ones found were design flaws that allowed the researchers to extract credentials using a “third-party app”.
In many cases, the apps fail to account for the possibility of clipboard sniffing, which is done when a user might copy login details to the clipboard from the app to another app or a website.
Many of the apps offer features which on occasion put the security of the app in jeopardy for the sake of convenience. There are apps which have a built-in web browser which significantly expands the attack surface.
The researchers also found auto-fill functions in apps which could be used to capture stored secrets through hidden phishing attacks.
The news is slightly worrying. Currently, it is widely recommended that users make use of password managers, as it is the only way to ensure the large password sets the average user now has stay away from prying eyes.
However as with any piece of software, it has flaws. This is not to say that password managers aren't worth it. It's just that those using these apps must ensure they are constantly patched and secure to keep them from being broken into.The full list of vulnerabilities found by TeamSIK can be found here.