Skip to main content
Springer Nature Link
Log in

A Security Analysis of Password Managers on Android

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14424))

Included in the following conference series:

Abstract

Password Managers are software tools designed to help users easily store and access credentials across devices while also reducing, if not eliminating, reuse of passwords across different service providers. Previous research has identified several security vulnerabilities with desktop and browser-based password managers; however, aside from research on possibilities of phishing, the security of password manager applications on mobile devices had never been investigated comprehensively prior to this paper. We present a study of three of the most popular password managers on the Google Play Store including but not limited to their password generators, vault and metadata storage, and autofill capabilities. By building upon past findings, we identify several weaknesses in password managers including generation of weak and statistically non-random passwords, unencrypted storage of metadata and application settings, and possibilities for credential phishing. In addition, we suggest several improvements to mobile password managers, other Android applications, and the Android operating system that can improve the user experience and security of password managers on Android devices. From our observations, we also determine areas for future research that can help improve the security of password managers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  2. Android Developers: Application fundamentals (2021). https://developer.android.com/guide/components/fundamentals. Accessed 10 Feb 2021

  3. Android Developers: Autofill framework (2021). https://developer.android.com/guide/topics/text/autofill. Accessed 18 March 2021

  4. Android Developers: Android keystore system (2022). https://developer.android.com/training/articles/keystore. Accessed 14 Jan 2022

  5. Aonzo, S., Merlo, A., Tavella, G., Fratantonio, Y.: Phishing attacks on modern android. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 1788–1801. Association for Computing Machinery, New York (2018)

    Google Scholar 

  6. Bakry, T.H., Mysk, T.: Popular iPhone and iPad apps snooping on the pasteboard (2020)

    Google Scholar 

  7. Bitwarden Inc.: How Bitwarden Works (2021). https://bitwarden.com/products/#how-bitwarden-works. Accessed 13 March 2021

  8. Broida, R.: Need a LastPass alternative? This is the best free password manager we’ve found (2021). https://www.cnet.com/news/need-a-lastpass-alternative-bitwarden-is-the-best-free-password-manager-we-found-2021/. Accessed 2 Apr 2021

  9. Business Wire Inc.: Bitwarden Selected as Best Password Manager by US News & World Report (2021). https://www.businesswire.com/news/home/20210113005308/en/. Accessed 2 Apr 2021

  10. CSID: Consumer survey: Password habits (2012). https://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf. Accessed 10 Mar 2021

  11. Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Network and Distributed System Security Symposium (2014)

    Google Scholar 

  12. Dashlane Inc.: Dashlane security white paper (2020). https://www.dashlane.com/download/Dashlane_SecurityWhitePaper_November2020.pdf. Accessed 12 Mar 2021

  13. Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_12

    Chapter  Google Scholar 

  14. Florêncio, D., Herley, C., van Oorschot, P.C.: An administrator’s guide to internet password research. In: 28th Large Installation System Administration Conference (LISA14), pp. 44–61. USENIX Association, Seattle (2014)

    Google Scholar 

  15. GarcĂ­a, D.: bitwarden_rs: Unofficial Bitwarden compatible server written in Rust (2021). https://github.com/dani-garcia/bitwarden_rs. Accessed 14 Apr 2021

  16. Gasti, P., Rasmussen, K.B.: On the security of password manager database formats. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 770–787. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_44

    Chapter  Google Scholar 

  17. Habib, H., et al.: User behaviors and attitudes under password expiration policies. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 13–30. USENIX Association, Baltimore (2018)

    Google Scholar 

  18. Henry, A., Fitzpatrick, J., Hesse, B.: The Best Password Managers (2019). https://lifehacker.com/the-five-best-password-managers-5529133. Accessed 12 Apr 2021

  19. Kuketz, M.: Wie tracking in apps die sicherheit und den datenschutz unnötig gefährdet (2021). https://www.kuketz-blog.de/wie-tracking-in-apps-die-sicherheit-und-den-datenschutz-unnoetig-gefaehrdet. Accessed 10 Mar 2021

  20. Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 465–479. USENIX Association, USA (2014)

    Google Scholar 

  21. LogMeIn Inc.: Enterprise Security Model—LastPass (2021). https://www.lastpass.com/enterprise/security. Accessed 17 Feb 2021

  22. Melicher, W., et al.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 175–191. USENIX Association, Austin (2016)

    Google Scholar 

  23. Microsoft Inc.: Xamarin documentation - Xamarin—Microsoft Docs (2021). https://docs.microsoft.com/en-us/xamarin/. Accessed 4 Apr 2021

  24. Munroe, R.: Password strength (2011). https://xkcd.com/936. Accessed 3 Mar 2021

  25. Oberlo: What percentage of internet traffic is mobile? (2021). https://www.oberlo.com/statistics/mobile-internet-traffic. Accessed 10 Apr 2021

  26. Oesch, S., Ruoti, S.: That was then, this is now: a security evaluation of password generation, storage, and autofill in browser-based password managers. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 2165–2182. USENIX Association (2020)

    Google Scholar 

  27. Ormandy, T.: Issue 1930: lastpass: bypassing do_popupregister() leaks credentials from previous site (2019). https://bugs.chromium.org/p/project-zero/issues/detail?id=1930. Accessed 15 Apr 2021

  28. Pearman, S., Zhang, S.A., Bauer, L., Christin, N., Cranor, L.F.: Why people (don’t) use password managers effectively. In: Fifteenth Symposium On Usable Privacy and Security (SOUPS 2019), pp. 319–338. USENIX Association, Santa Clara (2019)

    Google Scholar 

  29. Pearson, K.: X. on the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. London Edinburgh Dublin Philos. Mag. J. Sci. 50(302), 157–175 (1900)

    Google Scholar 

  30. Pittman, J.M., Robinson, N.: Shades of perception- user factors in identifying password strength (2020)

    Google Scholar 

  31. Roy, A., Memon, N., Ross, A.: MasterPrint: exploring the vulnerability of partial fingerprint-based authentication systems. IEEE Trans. Inf. Forensics Secur. 12(9), 2013–2025 (2017)

    Article  Google Scholar 

  32. Seiler-Hwang, S., Arias-Cabarcos, P., Marín, A., Almenares, F., Díaz-Sánchez, D., Becker, C.: “I don’t see why i would ever want to use it”: analyzing the usability of popular smartphone password managers. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 1937–1953. Association for Computing Machinery, New York (2019)

    Google Scholar 

  33. Silver, D., Jana, S., Boneh, D., Chen, E., Jackson, C.: Password managers: attacks and defenses. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 449–464. USENIX Association, San Diego (2014)

    Google Scholar 

  34. Statcounter: Mobile Operating System Market Share Worldwide (2022). https://gs.statcounter.com/os-market-share/mobile/worldwide. Accessed 5 Aug 2022

  35. Stock, B., Johns, M.: Protecting users against XSS-based password manager abuse. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, pp. 183–194. Association for Computing Machinery, New York (2014)

    Google Scholar 

  36. Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 157–173. USENIX Association, Austin (2016)

    Google Scholar 

  37. Zhang, X., Du, W.: Attacks on android clipboard. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 72–91. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08509-8_5

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Shiv Nadar University, Greater Noida, India

    Abhyudaya Sharma & Sweta Mishra

Authors
  1. Abhyudaya Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sweta Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abhyudaya Sharma .

Editor information

Editors and Affiliations

  1. Griffith University, Gold Coast, QLD, Australia

    Vallipuram Muthukkumarasamy

  2. Centre for Development of Advanced Computing (C-DAC), Bangalore, India

    Sithu D. Sudarsan

  3. Indian Institute of Technology Bombay, Mumbai, India

    Rudrapatna K. Shyamasundar

Ethics declarations

All vulnerabilities and issues have been responsibly disclosed to the developers of the password managers. We hope that these issues will be resolved soon and help improve the security of password managers.

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sharma, A., Mishra, S. (2023). A Security Analysis of Password Managers on Android. In: Muthukkumarasamy, V., Sudarsan, S.D., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2023. Lecture Notes in Computer Science, vol 14424. Springer, Cham. https://doi.org/10.1007/978-3-031-49099-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-49099-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-49098-9

  • Online ISBN: 978-3-031-49099-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics