German security researchers have analyzed the security of 9 popular password managers on Android and found vulnerabilities in all of them. Some password managers stored passwords in plaintext or had hardcoded encryption keys in the source code.
The German security researchers work for the Fraunhofer Institute for Secure Information Technology and checked the security of the Android versions of My Passwords, Informaticore Password Manager, LastPass, Keeper, F-Secure KEY, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords and 1Password.
In each application the researchers found one or more vulnerabilities. Passwords were stored plaintext, others hardcoded encryption keys in the source code. Both make it relatively easy for attackers to gain access to the passwords In other cases it was possible to get access to the stored passwords with a forensic app and most passwords managers also didn’t protect against clipboard sniffing. This means that passwords were not removed from the clipboard after the users copied credentials.
The nine passwords managers were chosen based on the number of downloads reported by the Google Play Store. The researchers find their results alarming, their research shows that password managers, despite the claims of being “bank-level” or “military-grade” secure, in reality are not.
The researchers informed the password manager vendors about their results and report that all vulnerabilities have been fixed as of today.