Presentation Material

Abstract

Password managers (PMs) are becoming common and popular on mobile devices. The convenience of automatically filling user credentials into login forms, especially on small-screen devices, has further helped in increasing the adoption of PMs. Modern mobile OSes (such as Android; the focus of our work) facilitate system-wide autofill frameworks to enable autofilling on both browsers and apps. On the other side, mobile OSes enable apps to directly render web content via WebView controls, which: (1) prevents redirecting the user to the main browser; and (2) improves seamless user experience.

We will focus on a common scenario, where a webpage is loaded into a mobile app using WebView controls. Some common examples include in-app opening of hyperlinks in Skype or Gmail mobile apps. Another key use of such in-app functionality is the “Login with Apple/Facebook/Google” button for user authentication within a third-party mobile app. Upon choosing such an option, the third-party app loads the corresponding login page in WebView.

We will present a novel attack - that we call AutoSpill - to steal users’ saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android’s secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.