28th September, 2018 By Lindsey O'Donnell
A research team suggested a new secure-by-design API after discovering design flaws in the way Android apps are verified by password managers.
A design issue in the way some popular password manager tools verify legitimate Android apps could be harnessed to help attackers launch successful phishing attacks on users.
Researchers with the University of Genoa and Eurecom inspected popular mobile password tools that sync with Android applications and concluded that the way these tools verify apps could allow an attacker to easily slip by with a spoofed app and scoop up victims’ credentials.
“The number of design issues and the variety of vulnerable heuristics that we have identified in leading password managers suggest that the insights offered in this paper are not well-understood by the community,” researchers wrote in a report released Wednesday. “The possibility of abusing Instant apps and hidden fields make these attacks even more problematic and practical.”
Full Article.
