If you’re using a password manager on your Android phone or tablet, you will want to pay attention to this vulnerability. The problem is inherent with Android itself but affects password managers that utilize the clipboard to fill in passwords.
The vulnerability isn’t new and shouldn’t come as a surprise. Researcers discovered the bug back in early 2013 but nothing has been done about it since. But recently, an app called ClipCaster has made its way onto the Google Play Store that allows the app to sniff usernames and passwords stored in the Android clipboard.
ClipCaster is a proof of concept that this vulnerability exists and works. The app doesn’t require any permissions so a victim will be none the wiser that his or her passwords are being sniffed out. There’s no functionality behind ClipCaster other than to expose vulnerable password managers on Android.
While password managers like LastPass are affected, others that don’t utilize the clipboard are not. LastPass responded, saying that the vulnerability is not with its own app but a problem with Android itself.
“This is an any clipboard activity problem [his emphasis] and impacts any password manager involving the clipboard (100% of them)—the way all password managers have consistently allowed you to enter your password into other apps since Android has existed. This demonstration is aimed at LastPass, but it’s the whole of Android that must be addressed,” said Lastpass CEO Joe Siegrist speaking with Ars Technica.
Android password managers which use their own browsers, browser extensions, or software keyboards are unaffected by this bug. This means LastPass users can stop this bug by disabling the “autofill” feature using the Lastpass secure browser or software keyboard instead.
You can also protect yourself by only installing trusted apps, meaning apps you find in Google Play since Google checks those apps for malicious code. Still, some malicious apps may fall through the cracks so use your best judgement. Now is also a good time to install a mobile antivirus program like Lookout or AVG to monitor your phone for vulnerabilities.
Android does have a security feature called “sandboxing” that would render this attack useless but it would also stop password managers from working properly. Basically, sandboxing isolates an app from interacting with other apps, protecting it from sniffing. However, sandboxing password managers would make the apps extremely limited and difficult to use.
There’s no need to panic about this vulnerability, but Google and app developers should work together to implement a fix. Just use your best judgement about the apps you install and you should be safe.
For more information about how to protect yourself online, check out my in-depth guide.
Source: Ars Technica
Follow me on Twitter: @lewisleong