Password Managing Apps Relying on Android Clipboard Are Unsafe

Almost two years ago, a group of security researchers from Germany published a paper titled ‘Hey, You, Get Off My Clipboard,’ in which they basically punch Android in the bun. To cut the long story short, the researchers discovered that all apps installed on Android devices have unlimited access to the Clipboard, that area used by password managing apps in many cases.

Back then, 21 password managing apps, including our favorite LastPass got busted for either missing the elephant, or intentionally misleading their users on the level of security they provided. Two years later, barely anything has changed:

  • Google did not patch the evident and now known to many security bug with the Clipboard being open to monitoring by apps even without any special permissions
  • Password managing apps do not explicitly tell to their users that using Clipboard to copy and paste their passwords in Android leaves their credentials accessible to all apps installed on their devices, where some may be potentially malware
  • Users still don’t bother to read or understand apps permissions, believing in the ‘brand’
  • Google Play is still a haven for malware to sift through the store’s fairly lax defenses

Ars Technica reports asking LastPass’ CEO Joe Siegris on the issue, and his answer doe have a point that it is an OS-wide problem,

“This is an any clipboard activity problem and impacts any password manager involving the clipboard (100% of them)—the way all password managers have consistently allowed you to enter your password into other apps since Android has existed. This demonstration is aimed at LastPass, but it’s the whole of Android that must be addressed.”

So, why no word from Google on this? By the way, there is no research on iOS and Windows Phone operating systems’ clipboard availability and openness to installed apps. It would be safe to leave this question open for now.

In any case, here is what you should know about your password manager, if you use it on Android:

  • If you use LastPass with Autofill enabled, your credentials are vulnerable -> disable Autofill and use the app’s LastPass browser or LastPass keyboard
  • In any other password manager, like KeePassDroid, follow the same course – do not copy and paste passwords, but use virtual keyboards if they come with the password managing apps and are protected against screen or key strokes capture, or use secure browsers that come with the password managing apps.

Two years ago, the Germans have created an app, proof of concept, that was able to successfully weed out user passwords and login details. The spy app does not even have any special permissions, but the network access. It runs silently in the background and does not consume CPU cycles. Whenever the user copy-pastes something, the app captures, decrypts and sends over to the intruder/researcher the captured credentials. Another  proof of concept app has been developed recently and dubbed ClipCaster, and it works perfectly fine capturing and transmitting user credentials without alarming the user.

Image: ArsTechnica
Image: ArsTechnica

The downside is Android users in their majority do not bother to install antivirus, or antimalware apps on their devices. They tend to ignore apps permissions when they buy or install free apps from Google Play, without ever questioning reliability or accountability of both the Google mobile marketplace, or the developer. As a result, even a user sticking solely to the official Google Play marketplace may end up with loads of adware, or malware. Finally, the users need to be explicitly told by password managing apps that using their apps with the Android Clipboard is not safe.

Now that you know about the security vulnerability, will you keep copy-pasting your passwords in Android? I know what a pain it is inputting your passwords manually – one reason why I don’t use my devices to check or write emails, or God forbid, to shop. The more holes security researchers find in Android in particular, and mobile operating systems in general, the more I want to get to the attic and try to find my late Grandmother’s nearly 15 year old Alcatel OT 331. At least with those mobile phones we did not have temptations or convenience – just the pure voice calls and texting delight. And no malware!

Let us know what you think in the comments below, or join a conversation on our forum!

Sources: Ars Technica, Hey, You, Get Off My Clipboard, ClipCaster.