(moving this to guardian-dev) This would be a very nice application of our TrustedIntents library. We could define an Intent method for handing a password, then add TrustedIntents to KeePassDroid and then our apps, especially Orweb and Orfox. I think that would serve as a good example as a way to fix this issue without having to change Android itself at all.
.hc noel hidalgo | gProject: > http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/ > > > page1image776 > RISK ASSESSMENT / SECURITY & HACKTIVISM > Using a password manager on Android? It may be wide open > > page1image2328 > to sniffing attacks > > Proof-of-concept exploit against LastPass could easily be extended to other > apps. > > by Dan Goodin - Nov 21, 2014 6:55 pm UTC > > ANDROID HACKING > > page1image4680 page1image4840 page1image5000 page1image5160 page1image5320 > Aurich Lawson > > page1image5976 > In early 2013, researchers exposed some unsettling risks stemming from > Android-based password managers. In a paper titled "Hey, You, Get Off of My > Clipboard," they documented how passwords managed by 21 of the most popular > such > apps could be accessed by any other app on an Android device, even those with > extremely low- level privileges. They suggested several measures to help fix > the > problem. > > Almost two years later, the threat remains viable in at least some, if not > all, > of the apps originally analyzed. An app recently made available on Google > Play, > for instance, has no trouble divining the passwords managed by LastPass, one > of > the leading managers on the market, as well as the lesser-known KeePassDroid. > With additional work, it's likely that the proof-of-concept ClipCaster app > would > work seamlessly against many other managers, too, said Xiao Bao Clark, the > Australia-based programmer who developed it. While ClipCaster does nothing > more than display the plaintext of passwords that LastPass and KeePassDroid > funnel through Android handsets, a malicious app with only network privileges > could send the credentials to an attacker without the user having any idea > what > was happening. > > "Besides the insecurity of it, what annoyed me was that I was never told any > of > this while I was signing up or setting up the LastPass app," Clark wrote in > an > e-mail. "Instead, I got the strong impression from LastPass that everything > was > very secure, and I needn't worry about any of it. If they at least told users > the security issues using these features brings, then the users themselves > could > decide on their own trade-off between usability and security. Not mentioning > it > at all strikes me as disingenuous." > > Asked if LastPass has ever notified users of the risk, company CEO Joe > Siegrist > didn't give a yes or no answer. Instead, he responded, "This is an any > clipboard > activity problem [his emphasis] and impacts any password manager involving > the > clipboard (100% of them)—the way all password managers have consistently > allowed > you to enter your password into other apps since Android has existed. This > demonstration is aimed at LastPass, but it's the whole of Android that must > be > addressed." > > Clark agreed that any Android-based password manager that uses the OS > clipboard > is susceptible. He strongly recommends that people stop using any app setup > that > works this way. Many apps use standalone browsers, browser extensions, or > software keyboards to enter credentials into login fields. There is no > evidence > they are susceptible to sniffing. The reason ClipCaster takes special aim at > LastPass, Clark said, is simple. It just happened to be the manager he > installed > on his phone. There are no reports that password managers running > > on iOS or Windows Phone are vulnerable. But there can be way to know for > sure, > since Ars is unaware of the any comprehensive study testing the security of > managers on those platforms. > > As already alluded, the threat stems from the use of the Android clipboard, > which acts as a temporary cache for text that is being copied and pasted, > either > within the same app or from one app to another. Android has no official > programming interface that secures the clipboard. By design, its contents are > available to any app installed on the phone, from the highest privileged > banking > app to one with no privileges at all. (ClipCaster, for instance, requires no > permissions.) Siegrist rightly noted that any password manager that makes use > of > the Android clipboard—and there are plenty, including LastPass—is vulnerable. > > LastPass has several different methods for plucking passwords out of their > highly fortified vault and plugging them into the password field of a browser > or > app. Not all of the options are susceptible to sniffing, but notably, the one > LastPass recommends that Android users choose leaves them wide open. The > option > is known as autofill, a feature that seamlessly plugs passwords into apps and > the Chrome browser. > > Shortly after installing LastPass, Clark came across the 2013 paper that > discussed the clipboard vulnerability. It got him wondering about the > security of his decision, so he began analyzing the JavaScript autofill uses > to populate username and password fields in Chrome. In about an hour, he had > a crude but working exploit that monitored the Android clipboard and captured > login credentials transported by autofill. His proof-of-concept app works by > listening to the notices the clipboard broadcasts to installed apps and > looking > for a familiar patterns in the code. > > Clark concocted a dummy account containing the username "[email protected]" > and > the password "s4f3p4assw0rd," and observed the way the credentials were > funneled > through the clipboard. Autofill wrote a blob of code to the clipboard and > then > pasted it into the address bar of Chrome. The code contained the following > telltale lines: > > if (l_bte) { ; > > l_sfv(l_bte, decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20=')))) > > } > l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk')))); > > An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user logs > in > to Facebook. > Xiao Bao Clark > "atob" is a JavaScript function for decoding strings that have been > converted into base64-encoded representations. Presumably, LastPass > developers chose the encoding to make it less obvious to other apps what the > clipboard contents are. But to anyone with a modest amount of training, > the measure is little more than an exercise in the largely discredited > protection known as "security through obscurity." ClipCaster monitors the > clipboard for the patterns, decodes the base64 strings and, as illustrated in > the image to the right, displays them. > > In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that > the vulnerability isn't unique to his company's product, or even to Android > devices. > > "This is an OS-level issue that impacts everything running on Android," he > said. > "If you use the clipboard to copy any data, a malicious app could obtain > it—like > installing a clipboard monitoring software on Windows or a keylogger on > Windows. > You can compromise your security by installing bad software." > > Siegrist also noted that attacks like the one carried out by ClipCaster work > only when LastPass or another password manager runs on an Android device > that has a malicious app installed, and then only when the manager uses the > device's clipboard. The CEO said that LastPass users should run only > "trusted" > apps, meaning those distributed over Google Play by a trusted company and > widely > used and reviewed. > > Still, his statements omit some important distinctions. First, LastPass on > Windows doesn't use the clipboard to pass login credentials to Chrome, > and presumably other browsers, Clark's research found. And second, most > Windows > users—and a growing number of Mac users as well—use antivirus protection to > detect such threats. Android antivirus apps exist, but there's little > evidence > that most users install one. Third, his advice about installing only trusted > apps is sound, but given the regular occurrence of malicious apps that slip > through Google defenses and are hosted in the company's official Play Store, > it's unrealistic to expect end users to always spot rogue titles. > > page2image36576 page2image36744 > rogue titles. > > One of the key defenses of Android is its application sandbox, which prevents > one app from accessing sensitive data belonging to another app, presumably > under > the premise that not all apps will be trustworthy. When an app as sensitive > as a > password manager doesn't enjoy a protection as crucial as this, the companies > should make this limitation explicit. LastPass and the developers of other > vulnerable managers should be > > forthright about the risks and tell users what they can do to protect > themselves. In the case of LastPass, the threat can be eliminated simply by > opting out of the recommended autofill option and instead using the LastPass > browser or LastPass keyboard. Many users may decide the convenience of > autofill > is worth the added risk, but at least they will be making an informed choice. > > Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in > 2012 > after working for The Register, the Associated Press, Bloomberg News, and > other > publications. > @dangoodin001 > > page3image9728 > © 2014 Condé Nast. All rights reserved > Use of this Site constitutes acceptance of our User Agreement (effective > 3/21/12) and Privacy Policy (effective 3/21/12) > Your California Privacy Rights > The material on this site may not be reproduced, distributed, transmitted, > cached or otherwise used, except with the prior written permission of Condé > Nast. > > > > _______________________________________________ > Guardian-internal mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-internal > > To Unsubscribe > Send email to: [email protected] > Or visit: %(user_optionsurl)s > > You are subscribed as: %(user_address)s > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
