"Missing interface makes smartphone password managers unsecure"
Suppose, this theme will be quit popular in the next time, so I quickly have translated the article for you.
"Missing interface makes smartphone password managers unsecure
developing a PW manager on android ist not a simple task - the API is missing. there are rules other than on desktop pcs.
the pw manager annot link directly into the browser and also has to be available be usable by apps. (that i don't understand, but not important).
due to the missing api for integrating pw manager into brwwser or apps the developer solve this problem on their own unsecure way: they use the OS-cipboard to deliver logindata to browser or apps.
via clipboard the users also can copy thier logindata from the pw manager to insert this into apps or browser. this is a problem due to the clipboard is a global ressource, which every app can access. even worse: there is a system wide messaging
service telling apps each change of the clipboard:
...which can be used by trojans...
the researchers prooved this by their demo PWSniff, which doesen't even need any permissions to do so. the prog searches and
collects the demanded data from the phone, which only has to be combined.
if inserting text from well known pw manager there is supposingly a url, account name or password. the next user selected app
is supposingly the receiver of the data.
with GET_ACCOUNTS sniffer also can read username of the Andorid AccountManagers. (or the Android AccountManager).
Via actual opened connections the sniffer can find out, what server the password ist for. this info is delivered by ProcFS
for all apps (via /proc/net/tcp).
Last ist to deliver the collected data to an external server. the implemented (?) PWSniff does this without permission for
internet access. it opens after switching off the display a url with the system browser.
the researcher contacted pw manger developers and asked them, how they come to using the clipboard. but one they answered this
has been a decision between usability and security and even better than not having a pw manager and always to use the same pw. the dev. all critizised the missing android support for pw managers.
the demand/use of pw managers is confirmed by the scientists. a further research showed two uses of andriod/mobile pw managers:
1. standard encryption of the android browser is told to be unsecure
2. worry about Google collecting (harvesting) all login data"
Hope, this is not to hard stuff.
2013/3/18 PhilippC <email@example.com>
I am currently investigating options to add such online features. The problem is that most API are not directly available for mono for Android. I'll add a few "issues" so people can vote for their provider of choice.