TeamUSEC
Projects
Publications
Classes
Theses
Team
Code of Conduct
Projects
Publications
Classes
Theses
Team
Code of Conduct

Passwords To-Go: Investigating Multi-faceted Challenges for Password Managers in the Android Ecosystem

Nicolas Huaman, Marten Oltrogge, Sabrina Amft, Yannick Evers and Sascha Fahl.
40th Annual Computer Security Applications Conference, ACSAC'24, Dec 11-13, 2024
Abstract Cite URL

Abstract

Android provides two APIs to help mobile apps and browsers interact with password managers, the Android Autofill framework (AAF) and the Credentials API. Mobile password managers rely on these APIs to insert stored credentials into apps and browsers, limiting user interaction during authentication. However, implementing these APIs correctly can be challenging for app developers. For example, misusing the AAF can lead to insecure authentication, login credential phishing, and decreased usability. In this work, we conduct a mixed-methods study on the use of Android authentication APIs, focusing on their password manager support and impact on authentication security and usability. We first conduct a large-scale analysis of the two authentication APIs in 639,731 Android apps. Secondly, we perform an in-depth qualitative analysis of the AAF with 100 apps, ten browsers, and eleven password managers on Android. The Credentials API has not yet been adopted broadly, illustrating its recent introduction. Regarding Android’s Autofill framework, our qualitative analysis identified various unsupported edge cases like credit card management and password changing. Based on our findings, we make recommendations for improving the AAF and relate them to the Credentials API. We find that while a lot of the partially supported cases will work better in the new API, especially the lesser supported cases in our analysis currently fail for both APIs.

Reference

@inproceedings{conf/acsac/huaman24,
author = {Nicolas Huaman and
		Marten Oltrogge and
		Sabrina Amft and
		Yannick Evers and
		Sascha Fahl},
title = {Passwords To-Go: Investigating Multifaceted Challenges for Password Managers in the Android Ecosystem},

 booktitle = {In 40th Annual Computer Security Applications Conference, ACSAC 2024, Dec 11-13, 2024},
 month = {Dec},
 publisher = {IEEE Computer Society},
 year = {2024}
}