Android-based apps accidently leaking login credentials: IIIT Hyderabad study

Here is a word of caution for the Android users who use the autofill facility to log into the apps on smartphones.

Hyderabad: Here is a word of caution for the Android users who use the autofill facility to log into the apps on smartphones.

The International Institute of Information Technology (IIIT) – Hyderabad researchers have found that the autofill functionality in the Android-based apps were accidently leaking login credentials to the apps hosting the webpages.

---

Of late, the usage of password managers have become popular among smartphone users for not just generating a long password for their accounts but also remembering the same for the next login. The password managers have also become popular for its autofill facility of the required credentials in different login forms.

In an experiment with password managers’ autofill functionality on the mobile operating systems, the research team discovered what they termed as the AutoSpill attack.

The researchers lead by Prof. Ankit Gangwal from the Centre for Security, Theory and Algorithmic Research (CSTAR), IIIT-Hyderabad, found that every time an app loads a login page in WebView, an autofill request is generated from that WebView, the password managers and mobile operating system get disoriented about the target page for filling in the login credentials.

While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information, they said.

Prof. Gangwal said when a user tries to login to a music app on the mobile device via Google or Facebook, the music app will open Google or Facebook login page inside itself i.e., within the music app via the WebView

“When the password manager is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app, which in this case is your music app,” Prof. Gangwal explained.

He emphasized that even without phishing, any malicious app that asks login via another site, can automatically get access to sensitive information.

According to researchers MTech students – Shubham Singh and Abhijeet Srivastava, since both Android and password managers handle an autofill request with slightly different objectives (security, usability, etc.), they eventually become incompatible from the perspective of the amount of information flowing from one to another.

The findings, which will be presented at BlackHat Europe 2023 conference in December, concluded that both the Android system and the password managers are equally responsible for the credential AutoSpill.

“We brought this to the notice of Google as well as the password managers, who then have acknowledged the security breach,” the professor said. The researchers are currently exploring the possibility of a reverse AutoSpill attack.