Your IT Consultant

Leaky Password Managers on Android

November 25, 2014

Ars technica posted a very scary bit of information last week. In early 2013, security researchers discovered that some password managers used on Android devices can actually be accessed by other installed apps, even those with extremely low-level privileges. Almost two years later, apparently there is still a problem. The issue seems to revolve around the “convenience” factor of using the clipboard to dump password data as a method to populate a password field.

The very popular password manager, LastPass, was specifically called out for exposing passwords. LastPass CEO Joe Siegrist dodged the issue and basically threw everybody “under the bus” that utilizes the clipboard function on Android devices, his own product included. Convenience over security is an old story that we hear over and over. I blame the “instant gratification” generation.

I have a bigger problem with this report. Why is a password manager software provider (that should know better) putting your passwords at risk by just handing them off in an unencrypted fashion? The whole point of using a password manager application is to protect all of your complex passwords in an easy to manage encrypted password vault. It’s not so secure if your password manager exposes your passwords with little effort. I think I’ll stop recommending LastPass and pick some other application that isn’t on the researcher’s list, although that doesn’t mean that other apps are secure either.

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com