TeamUSEC

Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers

Sascha Fahl, Marian Harbach, Marten Oltrogge, Thomas Muders and Matthew Smith.
Financial Cryptography and Data Security - 17th International Conference, FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers
PDF Abstract Cite DOI

Abstract

Password managers aim to help users manage their ever increasing number of passwords for online authentication. Since users only have to memorise one master secret to unlock an encrypted password database or key chain storing all their (hopefully) different and strong passwords, password managers are intended to increase username/password security. With mobile Internet usage on the rise, password managers have found their way onto smartphones and tablets. In this paper, we analyse the security of password managers on Android devices. While encryption mechanisms are used to protect credentials, we will show that a usability feature of the investigated mobile password managers puts the users’ usernames and passwords at risk. We demonstrate the consequences of our findings by analysing 21 popular free and paid password managers for Android. We then make recommendations how to overcome the current problems and provide an implementation of a secure and usable mobile password manager.

Reference

@inproceedings{DBLP:conf/fc/FahlHOMS13,
 author = {Sascha Fahl and
Marian Harbach and
Marten Oltrogge and
Thomas Muders and
Matthew Smith},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/fc/FahlHOMS13.bib},
 booktitle = {Financial Cryptography and Data Security - 17th International Conference,
FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers},
 doi = {10.1007/978-3-642-39884-1_12},
 editor = {Ahmad-Reza Sadeghi},
 pages = {144--161},
 publisher = {Springer},
 series = {Lecture Notes in Computer Science},
 title = {Hey, You, Get Off of My Clipboard - On How Usability Trumps Security
in Android Password Managers},
 url = {https://doi.org/10.1007/978-3-642-39884-1_12},
 volume = {7859},
 year = {2013}
}