Do you use a password manager on your mobile device? For many people, they're an absolute necessity. But several of the leading Android-based password managers, including LastPass and KeePassDroid, are "leaky" with the passwords they store.
To prove this, Australian researcher Xiao Bao Clark has created an Android app called ClipCaster. Without even requiring any permissions, ClipCaster can "sniff" passwords from many password managers, and display those passwords in unencrypted plain text. Clark says this proves Android password managers have a serious security issue.
ClipCaster, available on the Google Play Store, is just a proof of concept, and not malicious in any way. But the app's existence shows that malware creators could take advantage of the same flaw, and create malware that could sniff passwords and then transmit them to people with malicious intentions.
The main issue here revolves around the Android's clipboard, or the place where it stores temporary text. Copied or cut text, for example, is stored on the clipboard until it is pasted elsewhere. Most Android-based password managers also use the clipboard to move passwords from storage to wherever the necessary login is taking place, such as a mobile browser.
The Android clipboard is designed so that any app can access its contents. That makes it very useful for both app developers and users, but the price of this expedience is security.
Because this issue exists in the Android operating system, any password manager that uses the Android clipboard becomes vulnerable to exploits. For example, LastPass users can set the app so it doesn't use the clipboard, but LastPass itself encourages users to enable the highly convenient "autofill" feature, which does use the clipboard.
This issue isn't new. In early 2013, a group of researchers from the Leibniz University of Hannover in Germany wrote a paper entitled "Hey, You, Get Off of My Clipboard." That paper found that 21 password manager apps used the vulnerable clipboard feature, and further, that malware could theoretically use contextual information to match captured passwords with online accounts.
Criminals who actually wanted to steal passwords using this method would still have to jump through several hurdles. First, the Android device would need to have a password manager that's been set to use the clipboard feature. Then the Android device would need to become infected with specially crafted malware designed to exploit this specific clipboard vulnerability.
- What Encryption Is and How It Works for You
- Best Android Security Apps 2014
- 12 Mobile Privacy and Security Apps
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.