Just to note, this is why I use KeePass2Android (KP2A), which has a dedicated keyboard, that on pressing the "user" or "password" entries will effectively type those in for you. This is not a new issue on Android, and has, in fact, been a public concern for quite some time.
I would recommend KP2A over KeePassDroid now, if only for that reason. Sadly, it can't be included in f-droid, as KP2A uses Mono for Android, which is not Free Software: https://f-droid.org/forums/topic/keepass2android/ -- Jon "The Nice Guy" Spriggs On 24 November 2014 at 11:24, Hans-Christoph Steiner < [email protected]> wrote: > > (moving this to guardian-dev) > > This would be a very nice application of our TrustedIntents library. We > could > define an Intent method for handing a password, then add TrustedIntents to > KeePassDroid and then our apps, especially Orweb and Orfox. I think that > would serve as a good example as a way to fix this issue without having to > change Android itself at all. > > .hc > > noel hidalgo | gProject: > > > http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/ > > > > > > page1image776 > > RISK ASSESSMENT / SECURITY & HACKTIVISM > > Using a password manager on Android? It may be wide open > > > > page1image2328 > > to sniffing attacks > > > > Proof-of-concept exploit against LastPass could easily be extended to > other apps. > > > > by Dan Goodin - Nov 21, 2014 6:55 pm UTC > > > > ANDROID HACKING > > > > page1image4680 page1image4840 page1image5000 page1image5160 > page1image5320 > > Aurich Lawson > > > > page1image5976 > > In early 2013, researchers exposed some unsettling risks stemming from > > Android-based password managers. In a paper titled "Hey, You, Get Off of > My > > Clipboard," they documented how passwords managed by 21 of the most > popular such > > apps could be accessed by any other app on an Android device, even those > with > > extremely low- level privileges. They suggested several measures to help > fix the > > problem. > > > > Almost two years later, the threat remains viable in at least some, if > not all, > > of the apps originally analyzed. An app recently made available on > Google Play, > > for instance, has no trouble divining the passwords managed by LastPass, > one of > > the leading managers on the market, as well as the lesser-known > KeePassDroid. > > With additional work, it's likely that the proof-of-concept ClipCaster > app would > > work seamlessly against many other managers, too, said Xiao Bao Clark, > the > > Australia-based programmer who developed it. While ClipCaster does > nothing > > more than display the plaintext of passwords that LastPass and > KeePassDroid > > funnel through Android handsets, a malicious app with only network > privileges > > could send the credentials to an attacker without the user having any > idea what > > was happening. > > > > "Besides the insecurity of it, what annoyed me was that I was never told > any of > > this while I was signing up or setting up the LastPass app," Clark wrote > in an > > e-mail. "Instead, I got the strong impression from LastPass that > everything was > > very secure, and I needn't worry about any of it. If they at least told > users > > the security issues using these features brings, then the users > themselves could > > decide on their own trade-off between usability and security. Not > mentioning it > > at all strikes me as disingenuous." > > > > Asked if LastPass has ever notified users of the risk, company CEO Joe > Siegrist > > didn't give a yes or no answer. Instead, he responded, "This is an any > clipboard > > activity problem [his emphasis] and impacts any password manager > involving the > > clipboard (100% of them)—the way all password managers have consistently > allowed > > you to enter your password into other apps since Android has existed. > This > > demonstration is aimed at LastPass, but it's the whole of Android that > must be > > addressed." > > > > Clark agreed that any Android-based password manager that uses the OS > clipboard > > is susceptible. He strongly recommends that people stop using any app > setup that > > works this way. Many apps use standalone browsers, browser extensions, or > > software keyboards to enter credentials into login fields. There is no > evidence > > they are susceptible to sniffing. The reason ClipCaster takes special > aim at > > LastPass, Clark said, is simple. It just happened to be the manager he > installed > > on his phone. There are no reports that password managers running > > > > on iOS or Windows Phone are vulnerable. But there can be way to know for > sure, > > since Ars is unaware of the any comprehensive study testing the security > of > > managers on those platforms. > > > > As already alluded, the threat stems from the use of the Android > clipboard, > > which acts as a temporary cache for text that is being copied and > pasted, either > > within the same app or from one app to another. Android has no official > > programming interface that secures the clipboard. By design, its > contents are > > available to any app installed on the phone, from the highest privileged > banking > > app to one with no privileges at all. (ClipCaster, for instance, > requires no > > permissions.) Siegrist rightly noted that any password manager that > makes use of > > the Android clipboard—and there are plenty, including LastPass—is > vulnerable. > > > > LastPass has several different methods for plucking passwords out of > their > > highly fortified vault and plugging them into the password field of a > browser or > > app. Not all of the options are susceptible to sniffing, but notably, > the one > > LastPass recommends that Android users choose leaves them wide open. The > option > > is known as autofill, a feature that seamlessly plugs passwords into > apps and > > the Chrome browser. > > > > Shortly after installing LastPass, Clark came across the 2013 paper that > > discussed the clipboard vulnerability. It got him wondering about the > > security of his decision, so he began analyzing the JavaScript autofill > uses > > to populate username and password fields in Chrome. In about an hour, he > had > > a crude but working exploit that monitored the Android clipboard and > captured > > login credentials transported by autofill. His proof-of-concept app > works by > > listening to the notices the clipboard broadcasts to installed apps and > looking > > for a familiar patterns in the code. > > > > Clark concocted a dummy account containing the username " > [email protected]" and > > the password "s4f3p4assw0rd," and observed the way the credentials were > funneled > > through the clipboard. Autofill wrote a blob of code to the clipboard > and then > > pasted it into the address bar of Chrome. The code contained the > following > > telltale lines: > > > > if (l_bte) { ; > > > > l_sfv(l_bte, > decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20=')))) > > > > } > > l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk')))); > > > > An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user > logs in > > to Facebook. > > Xiao Bao Clark > > "atob" is a JavaScript function for decoding strings that have been > > converted into base64-encoded representations. Presumably, LastPass > > developers chose the encoding to make it less obvious to other apps what > the > > clipboard contents are. But to anyone with a modest amount of training, > > the measure is little more than an exercise in the largely discredited > > protection known as "security through obscurity." ClipCaster monitors the > > clipboard for the patterns, decodes the base64 strings and, as > illustrated in > > the image to the right, displays them. > > > > In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that > > the vulnerability isn't unique to his company's product, or even to > Android devices. > > > > "This is an OS-level issue that impacts everything running on Android," > he said. > > "If you use the clipboard to copy any data, a malicious app could obtain > it—like > > installing a clipboard monitoring software on Windows or a keylogger on > Windows. > > You can compromise your security by installing bad software." > > > > Siegrist also noted that attacks like the one carried out by ClipCaster > work > > only when LastPass or another password manager runs on an Android device > > that has a malicious app installed, and then only when the manager uses > the > > device's clipboard. The CEO said that LastPass users should run only > "trusted" > > apps, meaning those distributed over Google Play by a trusted company > and widely > > used and reviewed. > > > > Still, his statements omit some important distinctions. First, LastPass > on > > Windows doesn't use the clipboard to pass login credentials to Chrome, > > and presumably other browsers, Clark's research found. And second, most > Windows > > users—and a growing number of Mac users as well—use antivirus protection > to > > detect such threats. Android antivirus apps exist, but there's little > evidence > > that most users install one. Third, his advice about installing only > trusted > > apps is sound, but given the regular occurrence of malicious apps that > slip > > through Google defenses and are hosted in the company's official Play > Store, > > it's unrealistic to expect end users to always spot rogue titles. > > > > page2image36576 page2image36744 > > rogue titles. > > > > One of the key defenses of Android is its application sandbox, which > prevents > > one app from accessing sensitive data belonging to another app, > presumably under > > the premise that not all apps will be trustworthy. When an app as > sensitive as a > > password manager doesn't enjoy a protection as crucial as this, the > companies > > should make this limitation explicit. LastPass and the developers of > other > > vulnerable managers should be > > > > forthright about the risks and tell users what they can do to protect > > themselves. In the case of LastPass, the threat can be eliminated simply > by > > opting out of the recommended autofill option and instead using the > LastPass > > browser or LastPass keyboard. Many users may decide the convenience of > autofill > > is worth the added risk, but at least they will be making an informed > choice. > > > > Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined > in 2012 > > after working for The Register, the Associated Press, Bloomberg News, > and other > > publications. > > @dangoodin001 > > > > page3image9728 > > © 2014 Condé Nast. All rights reserved > > Use of this Site constitutes acceptance of our User Agreement (effective > > 3/21/12) and Privacy Policy (effective 3/21/12) > > Your California Privacy Rights > > The material on this site may not be reproduced, distributed, > transmitted, > > cached or otherwise used, except with the prior written permission of > Condé Nast. > > > > > > > > _______________________________________________ > > Guardian-internal mailing list > > > > Post: [email protected] > > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-internal > > > > To Unsubscribe > > Send email to: [email protected] > > Or visit: %(user_optionsurl)s > > > > You are subscribed as: %(user_address)s > > > > -- > PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/jon%40sprig.gs > > You are subscribed as: [email protected] >
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
