Are Android Password Manager Apps Secure?

Credit: JMiks/ShutterstockCredit: JMiks/ShutterstockDo you use a password manager on your mobile device? For many people, they're an absolute necessity. But several of the leading Android-based password managers, including LastPass and KeePassDroid, are "leaky" with the passwords they store.

To prove this, Australian researcher Xiao Bao Clark has created an Android app called ClipCaster. Without even requiring any permissions, ClipCaster can "sniff" passwords from many password managers, and display those passwords in unencrypted plain text. Clark says this proves Android password managers have a serious security issue.

MORE: Best Android Antivirus Apps 2014

ClipCaster, available on the Google Play Store, is just a proof of concept, and not malicious in any way. But the app's existence shows that malware creators could take advantage of the same flaw, and create malware that could sniff passwords and then transmit them to people with malicious intentions.

The main issue here revolves around the Android's clipboard, or the place where it stores temporary text. Copied or cut text, for example, is stored on the clipboard until it is pasted elsewhere. Most Android-based password managers also use the clipboard to move passwords from storage to wherever the necessary login is taking place, such as a mobile browser.

The Android clipboard is designed so that any app can access its contents. That makes it very useful for both app developers and users, but the price of this expedience is security. 

Because this issue exists in the Android operating system, any password manager that uses the Android clipboard becomes vulnerable to exploits. For example, LastPass users can set the app so it doesn't use the clipboard, but LastPass itself encourages users to enable the highly convenient "autofill" feature, which does use the clipboard.

This issue isn't new. In early 2013, a group of researchers from the Leibniz University of Hannover in Germany wrote a paper entitled "Hey, You, Get Off of My Clipboard." That paper found that 21 password manager apps used the vulnerable clipboard feature, and further, that malware could theoretically use contextual information to match captured passwords with online accounts. 

Criminals who actually wanted to steal passwords using this method would still have to jump through several hurdles. First, the Android device would need to have a password manager that's been set to use the clipboard feature. Then the Android device would need to become infected with specially crafted malware designed to exploit this specific clipboard vulnerability.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Android Smartphones forum about this subject
This thread is closed for comments
1 comment
Comment from the forums
    Your comment
  • ddpruitt
    Great anti-Android article. Any password manager that doesn't tightly integrate with the OS or browser has this issue when filling in passwords. Windows, MacOS, and iOS have the same flaw for apps that use the same method to fill passwords. Essentially the passwords are stored in the system wide clipboard until the user pastes it into a browser. A large part of the problem is a disparate browser architecture that doesn't allow for portability and password systems that are hard for people to use but easy for computers to break.

    Either you can use a password manager and be careful about malware, or you can try to forgo the password manager and write down your passwords, or reuse them. Pick your poison.
    0