Android vulnerability impacting password managers

Android users at Ohio University are asked to be aware of a vulnerability within the autofill functionality of Android apps.

This vulnerability, known as AutoSpill, can expose the saved credentials within the user’s mobile password managers, such as LastPass, by bypassing Android’s secure autofill mechanism.  

Until a patch is released by Google and the impacted password managers there are a few things to keep in mind to reduce risk to your passwords:

1. Don’t stop using a password manager if the result would be adopting less secure password practices such as reusing credentials or storing passwords in insecure ways. To learn more about safe password practices, visit the Information Security Office’s Strong Passwords webpage.
2. Exercise diligence when choosing which applications you install on your device. This best practice is applicable to all devices, not just Android. Only download apps from trusted sources and be suspicious of apps that require passwords for accounts that are not actively managed or provided by the application developer. It is also a good idea to periodically review and modify app permissions as you see fit. 
3. One way to avoid risk associated with this vulnerability is to manually copy the needed credentials from the password manager and paste them directly into the app rather than utilizing the autofill feature. However, be aware that this will save the password to the device’s operating system clipboard, which comes with its own risks.
4. Follow the guidance on the Information Security Office’s Smartphone Security webpage.

For more information on security best practices, be sure to visit the web guidance provided by the Information Security Office.