Biz & IT —

Using a password manager on Android? It may be wide open to sniffing attacks

Proof-of-concept exploit against LastPass could easily be extended to other apps.

Using a password manager on Android? It may be wide open to sniffing attacks
Aurich Lawson

In early 2013, researchers exposed some unsettling risks stemming from Android-based password managers. In a paper titled "Hey, You, Get Off of My Clipboard," they documented how passwords managed by 21 of the most popular such apps could be accessed by any other app on an Android device, even those with extremely low-level privileges. They suggested several measures to help fix the problem.

Almost two years later, the threat remains viable in at least some, if not all, of the apps originally analyzed. An app recently made available on Google Play, for instance, has no trouble divining the passwords managed by LastPass, one of the leading managers on the market, as well as the lesser-known KeePassDroid. With additional work, it's likely that the proof-of-concept ClipCaster app would work seamlessly against many other managers, too, said Xiao Bao Clark, the Australia-based programmer who developed it. While ClipCaster does nothing more than display the plaintext of passwords that LastPass and KeePassDroid funnel through Android handsets, a malicious app with only network privileges could send the credentials to an attacker without the user having any idea what was happening.

"Besides the insecurity of it, what annoyed me was that I was never told any of this while I was signing up or setting up the LastPass app," Clark wrote in an e-mail. "Instead, I got the strong impression from LastPass that everything was very secure, and I needn't worry about any of it. If they at least told users the security issues using these features brings, then the users themselves could decide on their own trade-off between usability and security. Not mentioning it at all strikes me as disingenuous."

Asked if LastPass has ever notified users of the risk, company CEO Joe Siegrist didn't give a yes or no answer. Instead, he responded, "This is an any clipboard activity problem [his emphasis] and impacts any password manager involving the clipboard (100% of them)—the way all password managers have consistently allowed you to enter your password into other apps since Android has existed. This demonstration is aimed at LastPass, but it's the whole of Android that must be addressed."

Clark agreed that any Android-based password manager that uses the OS clipboard is susceptible. He strongly recommends that people stop using any app setup that works this way. Many apps use standalone browsers, browser extensions, or software keyboards to enter credentials into login fields. There is no evidence they are susceptible to sniffing. The reason ClipCaster takes special aim at LastPass, Clark said, is simple. It just happened to be the manager he installed on his phone. There are no reports that password managers running on iOS or Windows Phone are vulnerable. But there can be way to know for sure, since Ars is unaware of the any comprehensive study testing the security of managers on those platforms.

As already alluded, the threat stems from the use of the Android clipboard, which acts as a temporary cache for text that is being copied and pasted, either within the same app or from one app to another. Android has no official programming interface that secures the clipboard. By design, its contents are available to any app installed on the phone, from the highest privileged banking app to one with no privileges at all. (ClipCaster, for instance, requires no permissions.) Siegrist rightly noted that any password manager that makes use of the Android clipboard—and there are plenty, including LastPass—is vulnerable.

LastPass has several different methods for plucking passwords out of their highly fortified vault and plugging them into the password field of a browser or app. Not all of the options are susceptible to sniffing, but notably, the one LastPass recommends that Android users choose leaves them wide open. The option is known as autofill, a feature that seamlessly plugs passwords into apps and the Chrome browser.

Shortly after installing LastPass, Clark came across the 2013 paper that discussed the clipboard vulnerability. It got him wondering about the security of his decision, so he began analyzing the JavaScript autofill uses to populate username and password fields in Chrome. In about an hour, he had a crude but working exploit that monitored the Android clipboard and captured login credentials transported by autofill. His proof-of-concept app works by listening to the notices the clipboard broadcasts to installed apps and looking for a familiar patterns in the code.

Clark concocted a dummy account containing the username "j.doe@actisec.com" and the password "s4f3p4assw0rd," and observed the way the credentials were funneled through the clipboard. Autofill wrote a blob of code to the clipboard and then pasted it into the address bar of Chrome. The code contained the following telltale lines:

if (l_bte) {
                l_sfv(l_bte, decodeURIComponent(escape(atob('ai5kb2VAYWN0aXNlYy5jb20='))));
            }
            l_sfv(l_bpe, decodeURIComponent(escape(atob('czRmZXBhc3N3MHJk'))));

An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user logs in to Facebook.
An image of ClipCaster sniffing the password "s4f3p4assw0rd" as a user logs in to Facebook.
Xiao Bao Clark
"atob" is a JavaScript function for decoding strings that have been converted into base64-encoded representations. Presumably, LastPass developers chose the encoding to make it less obvious to other apps what the clipboard contents are. But to anyone with a modest amount of training, the measure is little more than an exercise in the largely discredited protection known as "security through obscurity." ClipCaster monitors the clipboard for the patterns, decodes the base64 strings and, as illustrated in the image to the right, displays them.

In e-mails sent to Ars, Siegrist, the LastPass CEO, rightly noted that the vulnerability isn't unique to his company's product, or even to Android devices.

"This is an OS-level issue that impacts everything running on Android," he said. "If you use the clipboard to copy any data, a malicious app could obtain it—like installing a clipboard monitoring software on Windows or a keylogger on Windows. You can compromise your security by installing bad software."

Siegrist also noted that attacks like the one carried out by ClipCaster work only when LastPass or another password manager runs on an Android device that has a malicious app installed, and then only when the manager uses the device's clipboard. The CEO said that LastPass users should run only "trusted" apps, meaning those distributed over Google Play by a trusted company and widely used and reviewed.

Still, his statements omit some important distinctions. First, LastPass on Windows doesn't use the clipboard to pass login credentials to Chrome, and presumably other browsers, Clark's research found. And second, most Windows users—and a growing number of Mac users as well—use antivirus protection to detect such threats. Android antivirus apps exist, but there's little evidence that most users install one. Third, his advice about installing only trusted apps is sound, but given the regular occurrence of malicious apps that slip through Google defenses and are hosted in the company's official Play Store, it's unrealistic to expect end users to always spot rogue titles.

One of the key defenses of Android is its application sandbox, which prevents one app from accessing sensitive data belonging to another app, presumably under the premise that not all apps will be trustworthy. When an app as sensitive as a password manager doesn't enjoy a protection as crucial as this, the companies should make this limitation explicit. LastPass and the developers of other vulnerable managers should be forthright about the risks and tell users what they can do to protect themselves. In the case of LastPass, the threat can be eliminated simply by opting out of the recommended autofill option and instead using the LastPass browser or LastPass keyboard. Many users may decide the convenience of autofill is worth the added risk, but at least they will be making an informed choice.

Channel Ars Technica