Presentation Material
Abstract
Password managers (PMs) are becoming common and popular on mobile devices. The convenience of automatically filling user credentials into login forms, especially on small-screen devices, has further helped in increasing the adoption of PMs. Modern mobile OSes (such as Android; the focus of our work) facilitate system-wide autofill frameworks to enable autofilling on both browsers and apps. On the other side, mobile OSes enable apps to directly render web content via WebView controls, which: (1) prevents redirecting the user to the main browser; and (2) improves seamless user experience.
We will focus on a common scenario, where a webpage is loaded into a mobile app using WebView controls. Some common examples include in-app opening of hyperlinks in Skype or Gmail mobile apps. Another key use of such in-app functionality is the “Login with Apple/Facebook/Google” button for user authentication within a third-party mobile app. Upon choosing such an option, the third-party app loads the corresponding login page in WebView.
We will present a novel attack - that we call AutoSpill - to steal users’ saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android’s secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
The speaker discussed an issue discovered in May , and reported to Android and password managers. The problem allows malicious apps to steal credentials from password managers using a technique called “AutoFill.” The speaker’s team found that some password managers quickly acknowledged the issue and promised to fix it, as well as provided severity and priority ratings. However, others did not respond or blamed Android for the problem.
Despite providing detailed information, including demos and codes, some password managers refused to accept responsibility for the issue. Only Android ultimately fixed the problem, but the speaker’s team is still investigating ways to reverse-engineer the AutoFill feature to prevent malicious apps from stealing credentials.
The speaker was asked if the Google Play Store could detect such malicious applications, but they believe it would be challenging since the base application appears normal and only saves credentials, making it difficult to identify as malicious.
Another question was posed about whether an attacker could use multiple web views to query password managers in the background, but the speaker’s team found that this approach is not successful. The AutoFill feature only works when a single web view is in focus.