Hey, You, Get Off of My Clipboard

On How Usability Trumps Security in Android Password Managers
  • Sascha Fahl
  • Marian Harbach
  • Marten Oltrogge
  • Thomas Muders
  • Matthew Smith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7859)


Password managers aim to help users manage their ever increasing number of passwords for online authentication. Since users only have to memorise one master secret to unlock an encrypted password database or key chain storing all their (hopefully) different and strong passwords, password managers are intended to increase username/password security. With mobile Internet usage on the rise, password managers have found their way onto smartphones and tablets. In this paper, we analyse the security of password managers on Android devices. While encryption mechanisms are used to protect credentials, we will show that a usability feature of the investigated mobile password managers puts the users’ usernames and passwords at risk. We demonstrate the consequences of our findings by analysing 21 popular free and paid password managers for Android. We then make recommendations how to overcome the current problems and provide an implementation of a secure and usable mobile password manager.


Android Security Apps Password Managers Vulnerability 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Computers & Security 14(3), 233–249 (1995)CrossRefGoogle Scholar
  2. 2.
    Bonneau, J.: The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 538–552 (2012)Google Scholar
  3. 3.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password Strength: An Empirical Analysis. In: 2010 Proceedings IEEE INFOCOM, pp. 1–9 (2010)Google Scholar
  4. 4.
    Egners, A., Marschollek, B., Meyer, U.: Messing with Android’s Permission Model. In: IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2012) (May 2012)Google Scholar
  5. 5.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android ssl (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 50–61. ACM, New York (2012)CrossRefGoogle Scholar
  6. 6.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14. ACM, New York (2012)Google Scholar
  7. 7.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)Google Scholar
  8. 8.
    Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 44–55. ACM, New York (2006)CrossRefGoogle Scholar
  9. 9.
    Kaliski, B.: PKCS #5: Password-Based cryptography specification version 2.0. RFC 2898, Internet Engineering Task Force (September 2000)Google Scholar
  10. 10.
    Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st international Conference on World Wide Web, WWW 2012, pp. 301–310. ACM, New York (2012)CrossRefGoogle Scholar
  11. 11.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 2. USENIX Association, Berkeley (2005)Google Scholar
  12. 12.
    Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 7:1–7:20. ACM, New York (2012)Google Scholar
  13. 13.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS 2010, pp. 2:1–2:20. ACM, New York (2010)Google Scholar
  14. 14.
    Ur, B., Kelley, P.G., Komanduri, S., Lee, J., Maass, M., Mazurek, M.L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: How does your password measure up? The effect of strength meters on password creation. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 5. USENIX Association, Berkeley (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Sascha Fahl
    • 1
  • Marian Harbach
    • 1
  • Marten Oltrogge
    • 1
  • Thomas Muders
    • 1
  • Matthew Smith
    • 1
  1. 1.Distributed Computing & Security GroupLeibniz University of HannoverHannoverGermany

Personalised recommendations