Android Device Owners Warned of Password Manager Data Leak

A new vulnerability shows that password managers could be leaking your credentials when used on your Android device.

If you're an Android user, think twice before using a password manager to autofill your credentials, as a study found that doing so in WebView can leak your data.

Considering how many passwords the average user has at their disposal, a password manager is an undeniably helpful tool that is supposed to help you keep track of your many credentials while securing you from potential online threats.

Unfortunately, no online tool is perfect, and this new vulnerability could have dire consequences for password manager users on Android devices.

Password Managers on Android Devices Leak Data in WebView

At the Black Hat Europe conference in London this week, researchers made a presentation that showed a significant security vulnerability for Android users. Cleverly dubbed AutoSpill by the researchers, the vulnerability occurs when you use autofill to input your login credentials in the WebView mode of your device.

Fortunately, with your typical selection of apps, there isn't much of a problem, as the providers of legitimate services have no need for your leaked credentials. However, if you've downloaded a malicious app onto your device, the ease with which they gain access to your password and other data is quite troubling.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

“If it is a malicious application, it will receive the credentials for free. No phishing required, no tricking needed, nothing is required.” – Ankit Gangwal of the International Institute of Information Technology (IIIT)

Fortunately, Gangwal made password manager providers and Google aware of the uniquely Android problem and according to Gangwal, “they are trying to fix it.”

Password Manager Use on the Rise

The average user does not follow password best practices, with large percentages admitting to using the same password for multiple accounts and easy-to-guess words and phrases still topping most popular password lists.

Subsequently, password managers were designed to solve the problem, providing a secure means of logging into multiple accounts without having lax security measures protecting them. In fact, password manager usage has been on the rise, increasing 13% from 2022 to 2023.

Unfortunately, with these kinds of massive vulnerabilities, confidence in password managers could dwindle, with the average user opting for the tried-and-true sticky note method over a password manager.

How to Avoid This Vulnerability

The best way to avoid this vulnerability is to avoid using a password manager to autofill your credentials when using the WebView mode on your Android device. Still, this isn't exactly a long-term solution, which is why the researchers suggested a more practical option.

“I think passkeys will solve this entire problem because they are signature-based, and you need to explicitly give permission to each application that can access the passkey.” – Ankit Gangwal

The passkey vs password debate continues to rage on, but luckily, the majority of providers are starting to see the value of this new means of security. The question is: when will passkeys become the standard over passwords?

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Conor is the Lead Writer for Tech.co. For the last six years, he’s covered everything from tech news and product reviews to digital marketing trends and business tech innovations. He's written guest posts for the likes of Forbes, Chase, WeWork, and many others, covering tech trends, business resources, and everything in between. He's also participated in events for SXSW, Tech in Motion, and General Assembly, to name a few. He also cannot pronounce the word "colloquially" correctly. You can email Conor at conor@tech.co.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals