Password management app are often recommended by security professionals as a secure way to store and access secure passwords, mobile app security testing has shown that these apps are now posing their own security issues. A number of security researchers from TeamSIK recently published their assessment of nine well-known password management apps on Android devices and found that none of them were completely secure.
According to TeamSIK, “The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the user’s confidence and expose them to high risks.”
The nine popular password management apps that went through mobile app security testing by the research team included My Passwords, LastPass, Informaticore Password Manager, Keeper, Dashlane, F-Secure KEY, Hide Pictures Keep Safe Vault, 1Password and Avast Passwords.
Security vulnerabilities found in each app were reported to the app developers and fixed before being revealed to the public. Since bugs have now been fixed, it is important to patch to latest versions to avoid hackers exploiting vulnerable versions of the apps.
Mobile app security testing of these apps revealed some serious ignorance of best practice such as storing the master password entered by the user in plaintext, or making use of hard coded cryptography keys. Such flaws allowed the researchers to access secure credentials with the help of a third party app. Also, many apps failed to account for clipboard sniffing, which helps catch credentials copied into memory to be pasted at a later time.
The researches the conducted mobile app security testing also revealed that app security of most of these apps is also affected by the introduction of convenience features. For instance, some apps have introduced built-in browsers for their customer’s convenience, but it also brings along a large number of security threats itself.
This definitely does not mean that password management apps are risky and unsecured. However, it is important that in order to make them fully functional, it is important to maintain and keep them regularly updated and ask whether the developers have done mobile app security testing.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.