#HITB2017AMS

Описание: There are different policies for the generation of secure passwords. However, one of the biggest challenges is to memorize all these complex passwords. Password manager applications are a promising way of storing all sensitive passwords cryptographically secure. Accessing these passwords is only possible if the user enters the correct master password, which is the only password that he needs to remember. At first, the requirements for a password manager application seem simple: Storing the passwords of a user in a secure and confidential way. On the other hand, the stakes are high. If the protection breaks, the attacker gets access to all of the user’s passwords. We therefore investigated what the reality looks like for mobile password manger applications on Android. Applications vendors advertise their password manager applications as “bank-level” or “military-grade” secure. However, can users be really sure that their secrets are stored in a secure way? Or can they be accessed by an attacker?

We will show the most common implementation pitfalls and design failures as well as how we exploited them in the aforementioned Android password managers. We will show that a faulty concept will break the confidentiality even without root privileges. Furthermore, we explain countermeasures and best practice approaches to avoid these vulnerabilities.

===

Stephan Huber is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He found different vulnerabilities in well-known Android applications and the AOSP. In his spare time he enjoys teaching students in Android hacking.

---

Steven is a currently a researcher at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt. He graduated from TU Darmstadt in computer science and IT Security. Steven is one of the core maintainers of the Soot open-source compiler framework and the FLOWDROID open-source static data flow tracker. His main interests center around research and hacking for (mobile) security, as well as static and dynamic program analysis. Together with his colleagues, he leads the hacking team of SIT.

---

Siegfried Rasthofer is a vulnerability- and malware-researcher at Fraunhofer SIT (Germany) and his main research focus is on applied software security on Android applications. He developed different tools that combine static and dynamic code analysis for security purposes and he is the founder of the CodeInspect reverse engineering tool. He likes to break Android applications and found various AOSP exploits. Most of his research is published at top tier academic conferences and industry conferences like DEF CON, BlackHat, AVAR or VirusBulletin.