The Emperor s New Autofill Framework: A Security Analysis of Autofill on iOS and Android

Sean Oesch, Anuj Gautam, Scott Ruoti

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

5 Scopus citations

Abstract

Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we evaluate mobile autofill frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues, they also enforce insecure behavior and fail to provide password managers sufficient information to override the frameworks' insecure behavior, resulting in mobile managers being less secure than their desktop counterparts overall. We also demonstrate how these frameworks act as a confused deputy in manager-assisted credential phishing attacks. Our results demonstrate the need for significant improvements to mobile autofill frameworks. We conclude the paper with recommendations for the design and implementation of secure autofill frameworks.

Original languageEnglish
Title of host publicationProceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021
PublisherAssociation for Computing Machinery
Pages996-1010
Number of pages15
ISBN (Electronic)9781450385794
DOIs
StatePublished - Dec 6 2021
Externally publishedYes
Event37th Annual Computer Security Applications Conference, ACSAC 2021 - Virtual, Online, United States
Duration: Dec 6 2021Dec 10 2021

Publication series

NameACM International Conference Proceeding Series

Conference

Conference37th Annual Computer Security Applications Conference, ACSAC 2021
Country/TerritoryUnited States
CityVirtual, Online
Period12/6/2112/10/21

Funding

We tested whether this property was supported by constructing We tested whether this property was supported by constructing

Keywords

  • Authentication
  • Mobile framework
  • Password managers
  • Security evaluation

Fingerprint

Dive into the research topics of 'The Emperor s New Autofill Framework: A Security Analysis of Autofill on iOS and Android'. Together they form a unique fingerprint.

Cite this