Six of the most popular Android password managers are leaking data

Several mobile password managers are leaking user credentials due to a vulnerability discovered in the autofill functionality of Android apps. 

The credential-stealing flaw, dubbed AutoSpill, was reported by a team of researchers from the International Institute of Information Technology Hyderabad at last week’s Black Hat Europe 2023 conference.

Also: The best password managers to save you from login hassle

The vulnerability comes into play when Android calls a login page via WebView. (WebView is an Android component that makes it possible to view web content without opening a web browser.) When that happens, WebView allows Android apps to display the content of the web page in question. 

That’s all fine and good — unless a password manager is added to the mix: The credentials shared with WebView can also be shared with the app that originally called for the username and password. If the originating app is trusted, everything should be OK If that app isn’t trusted, things could go very wrong.

The affected password managers are 1Password, LastPass, Enpass, Keeper, and Keepass2Android. Also, if the credentials were shared via a JavaScript injection method, both DashLane and Google Smart Lock are also affected by the vulnerability.

Also: 5 quick tips to strengthen your Android phone security today

Because of the nature of this vulnerability, neither phishing nor malicious in-app code is required.

One thing to keep in mind is that the researchers tested this on less-than-current hardware and software.

Specifically, they tested on these three devices: Poco F1, Samsung Galaxy Tab S6 Lite, and Samsung Galaxy A52. The versions of Android used in their testing were Android 0 (with the December 2020 security patch), Android 11 (with the January 2022 security patch), and Android 12 (with the April 2022 security patch). 

As these tested devices — as well as the OS and security patches — were out of date, it’s hard to know with any certainty whether the vulnerability would affect newer versions of Android. 

Also: Why you can still trust (other) password managers, even after that LastPass mess

However, even if you are using a device other than what the group tested with, it doesn’t mean this vulnerability should be shrugged off. Rather, it should serve as a reminder to always keep your Android OS and installed app up-to-date. The WebView system has always been held under scrutiny and updates for this software should always be updated. For that, you can open the Google Play Store on your device, search for WebView, tap About this app, and compare the latest version with the version installed on your device. If they are not the same, you’ll want to update.

One of your best means of keeping Android secure is to make sure it is always as up-to-date as possible. Check daily for OS and app updates and apply all that are available.