Fraud Management & Cybercrime , Identity & Access Management , Security Operations

Flaws in Mobile Password Manager: Auto-Fill to AutoSpill

IIIT Assistant Professor Ankit Gangwal on Mobile Password Manager Vulnerabilities
Ankit Gangwal, assistant professor, International Institute of Information Technology (IIIT)

Mobile password managers are different from computer-based password managers due to different constraints found in the mobile operating system, said Ankit Gangwal, assistant professor at the International Institute of Information Technology in Hyderabad, India.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

Mobile operating systems promote systemwide auto-filling in both applications and browsers, employing sandboxing to prevent direct communication between different applications. The AutoSpill behavior, which was discovered accidentally, originates from this systemwide auto-filling, Gangwal said.

He said that to mitigate an AutoSpill attack, users should not trust any software completely but should scrutinize warnings and exercise intelligence. The challenge, he said, lies in the background processes, where users have limited visibility, making it difficult for them to apply intelligence effectively.

"It's time to get rid of them [passwords] and try to come up with something different than this," he said.

In this video interview with Information Security Media Group at Black Hat Europe 2023, Gangwal also discussed:

  • The common mistakes users make, including the use of weak and reused passwords;
  • Why users should exercise caution when using password managers;
  • The potential limitations of employing AI for authentication.

Prior to joining IIIT, Hyderabad, Gangwal was a postdoctoral researcher at TU Delft, Netherlands. He also held a visiting researcher role at Stevens Institute of Technology in the United States. His research areas include blockchain, cryptography, privacy and security.

About the Author

Tony Morbin

Tony Morbin

Executive News Editor, EU

Morbin is a veteran cybersecurity and tech journalist, editor, publisher and presenter working exclusively in cybersecurity for the past decade – at ISMG, SC Magazine and IT Sec Guru. He previously covered computing, finance, risk, electronic payments, telecoms, broadband and computing, including at the Financial Times. Morbin spent seven years as an editor in the Middle East and worked on ventures covering Hong Kong and Ukraine.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.