The Emperor's New Autofill Framework: A Security Analysis of Autofill on iOS and Android

TL;DR

This paper critically evaluates the security of autofill frameworks on iOS and Android, revealing they often enforce insecure behaviors and can be exploited in credential phishing, highlighting the need for improved mobile autofill security.

Contribution

The paper provides a comprehensive security analysis of mobile autofill frameworks, identifying vulnerabilities and proposing recommendations for more secure design and implementation.

Findings

Mobile autofill frameworks often enforce insecure behaviors.

Frameworks act as a confused deputy in credential phishing attacks.

Mobile password managers are less secure than desktop counterparts.

Abstract

Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we evaluate mobile autofill frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues, they also enforce insecure behavior and fail to provide password managers sufficient information to override the frameworks' insecure behavior, resulting in mobile managers being less secure than their desktop counterparts overall. We also demonstrate how these frameworks act as a confused deputy in manager-assisted credential phishing attacks. Our results demonstrate the need for significant improvements to mobile autofill frameworks. We conclude the paper with recommendations for the design and implementation of secure autofill frameworks.