Fraud Management & Cybercrime , Identity & Access Management , Security Operations
Flaws in Mobile Password Manager: Auto-Fill to AutoSpill
IIIT Assistant Professor Ankit Gangwal on Mobile Password Manager VulnerabilitiesMobile password managers are different from computer-based password managers due to different constraints found in the mobile operating system, said Ankit Gangwal, assistant professor at the International Institute of Information Technology in Hyderabad, India.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
Mobile operating systems promote systemwide auto-filling in both applications and browsers, employing sandboxing to prevent direct communication between different applications. The AutoSpill behavior, which was discovered accidentally, originates from this systemwide auto-filling, Gangwal said.
He said that to mitigate an AutoSpill attack, users should not trust any software completely but should scrutinize warnings and exercise intelligence. The challenge, he said, lies in the background processes, where users have limited visibility, making it difficult for them to apply intelligence effectively.
"It's time to get rid of them [passwords] and try to come up with something different than this," he said.
In this video interview with Information Security Media Group at Black Hat Europe 2023, Gangwal also discussed:
- The common mistakes users make, including the use of weak and reused passwords;
- Why users should exercise caution when using password managers;
- The potential limitations of employing AI for authentication.
Prior to joining IIIT, Hyderabad, Gangwal was a postdoctoral researcher at TU Delft, Netherlands. He also held a visiting researcher role at Stevens Institute of Technology in the United States. His research areas include blockchain, cryptography, privacy and security.