idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
Researchers at Fraunhofer SIT have found security gaps in Android password management apps - users should update apps
The Fraunhofer Institute for Secure Information Technology (SIT) has identified serious security gaps in Android's password apps. In many of the most popular password managers, cybercriminals could easily gain access to protected information, for example, if the attacker is on the same network. The manufacturers were informed and have corrected the vulnerabilities. However, users should ensure that they are using the updated app version. The Fraunhofer SIT experts will present the details of their analyses in April at the "Hack In The Box" conference in Amsterdam. The Institute's CodeInspect tool used for the tests will be shown at CeBIT in Hanover from 20-24 March in Hall 6, Stand B 36.
An individual password is required for each application and user account. Users can easily lose track of or forget their passwords. Here, password managers provide a remedy: The user only has to remember a single master password, all other accesses and passwords are stored securely in the application. But what if the security mechanisms have flaws? A research team at Fraunhofer SIT has analyzed a number of popular Android password manager apps. Result: Many of these password apps were unsafe.
In some of the analyzed apps, including LastPass, Dashlane, Keeper and 1Password, the security experts found several implementation errors that led to serious security gaps. "For example, some applications store the entered master password in plain text on the smartphone," explains Dr. Siegfried Rasthofer, an Android expert at Fraunhofer SIT. As a result, encryption can easily be circumvented, and all data is available to the attacker without the user noticing it.
In addition, many applications ignore the problem of the clipboard, which makes "sniffing" possible. It means that the clipboard is not cleaned after the credentials are copied to it and that virtually any other app could access the clipboard. On top of this, who can be sure that there is no other certain app that would exploit this in order to obtain the access information to the password manager? In other cases, it would have sufficed for the attacker to be on the same network; but the loss of equipment could also have a significant risk to users.
"The security analysis of apps is part of our daily business. With CodeInspect and Appicaptor, we have developed our own tools that allow us to review apps very efficiently and in detail for their security, even when the apps’ source codes are not available. This applies to both Android and iOS," explains Dr. Rasthofer. With its tools, Fraunhofer SIT has already revealed many weaknesses in apps. These include the ones that have resulted from careless programming, for example, but also those that were most likely built into apps intentionally.
"We have informed the manufacturers of the affected password managers about the security gaps. Everyone has responded and the vulnerabilities have been closed, "explains Rasthofer. On devices downloading apps from the App Store these issues have now been fixed. Users that have not enabled automatic updates should update the applications immediately. Which apps have been affected and further details about the vulnerabilities can be found at http://sit4.me/pw-manager
https://team-sik.org/trent_portfolio/password-manager-apps/
Many password apps are not as secure as they seem.
Source: Fraunhofer SIT
Criteria of this press release:
Business and commerce, Journalists, Scientists and scholars, all interested persons
Information technology
transregional, national
Research results, Transfer of Science or Research
English
Many password apps are not as secure as they seem.
Source: Fraunhofer SIT
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
