A Security Analysis of Password Managers on Android

Password Managers are software tools designed to help users easily store and access credentials across devices while also reducing, if not eliminating, reuse of passwords across different service providers. Previous research has identified several security vulnerabilities with desktop and browser-based password managers; however, aside from research on possibilities of phishing, the security of password manager applications on mobile devices had never been investigated comprehensively prior to this paper. We present a study of three of the most popular password managers on the Google Play Store including but not limited to their password generators, vault and metadata storage, and autofill capabilities. By building upon past findings, we identify several weaknesses in password managers including generation of weak and statistically non-random passwords, unencrypted storage of metadata and application settings, and possibilities for credential phishing. In addition, we suggest several improvements to mobile password managers, other Android applications, and the Android operating system that can improve the user experience and security of password managers on Android devices. From our observations, we also determine areas for future research that can help improve the security of password managers.