The Emperor's New Autofill Framework: A Security Analysis of Autofill on iOS and Android

04/20/2021
by   Sean Oesch, et al.
0

Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks that are designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we conduct the first holistic security evaluation of such frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues (e.g., requiring user interaction before autofill), they also enforce insecure behavior and fail to provide the password managers implemented using the frameworks with sufficient information to override this incorrect behavior. Within mobile browsers, this results in managers being less secure than their desktop counterparts. Within apps, incorrect handling of WebView controls leads to manager-assisted phishing attacks from malicious apps or domains, depending on how autofill is implemented. Based on our results, significant improvements are needed for mobile autofill frameworks and we conclude the paper with concrete recommendations for the design and implementation of more secure autofill frameworks.

READ FULL TEXT

page 1

page 4

page 16

research
03/17/2021

AndroidCompass: A Dataset of Android Compatibility Checks in Code Repositories

Many developers and organizations implement apps for Android, the most w...
research
01/17/2022

Characterizing Sensor Leaks in Android Apps

While extremely valuable to achieve advanced functions, mobile phone sen...
research
04/12/2018

Analysing Use of High Privileges in Android Applications

The number of Android smartphone and tablet users has experienced a rapi...
research
04/01/2016

AuDroid: Preventing Attacks on Audio Channels in Mobile Devices

Voice control is a popular way to operate mobile devices, enabling users...
research
08/27/2019

On the (In)security of Bluetooth Low Energy One-Way Secure Connections Only Mode

To defeat security threats such as man-in-the-middle (MITM) attacks, Blu...
research
06/27/2018

Performance and Programming Effort Trade-offs of Android Persistence Frameworks

A fundamental building block of a mobile application is the ability to p...
research
11/26/2019

Moving Fast and Breaking Things: How to stop crashing more than twice

"Moving fast, and breaking things", instead of "being safe and secure", ...

Please sign up or login with your details

Forgot password? Click here to reset