Android Update: Could New Auto-fill Functionality Impact Users' Security?
Google is preparing new functionality for Android that will allow apps to retrieve and auto-fill security codes from SMS. Last year Apple introduced a similar feature to iOS and macOS, for which we discovered security risks for online banking, two-factor authentication (2FA), and other services. In this post, we analyse what we know so far about Google’s version.
The latest developer beta of Google Play Services (18.7.13 beta) contains code fragments that show a new Android permission to automatically retrieve verification codes from text messages. This feature has not yet been fully implemented, but the available code allows for some analysis and early evaluation of possible security risks. We’ve therefore performed a preliminary analysis to identify similar risks as we demonstrated in 2018 for the Security Code AutoFill feature in iOS and macOS.
It seems that Google is preparing an update to the “Autofill Framework”, introduced with Android 8.0 in 2017, to include the new functionality. Previously, this framework’s sole purpose was to support the autofill functionality of password managers in Android apps and websites. The code fragments of this new feature reveal the names and descriptions of the associated system setting and corresponding runtime permission requests, shown below.
|The likely UI of the new setting in Android to enable/disable SMS Code Auto-fill (source: xda-developers.com).|
|The likely UI of the new runtime permission request in Android (to deny or allow an application’s access to the SMS Code Auto-fill feature).|
Android’s Autofill Framework for passwords allows apps and websites to self-declare whether and where they want to activate the password autofill feature, e.g. using android:autofillHints=“password” and android:importantForAutofill=“yes”. The picture below shows the UI of Android autofill suggestions for passwords. We can assume that the autofill suggestions for SMS security codes will look similar.
|Current UI of Android’s Autofill Framework, displaying available user login credentials. If the user taps on “dataset-2”, this username and the corresponding password will be inserted into the app or website (source: Android Open Source Project).|
The Risk of Auto-filling Security Codes
SMS Code Auto-fill appears linked to Android’s Autofill Framework, which enables apps and websites to determine whether and where to make autofill suggestions. We currently don’t know all the details of the upcoming SMS Code Auto-fill in Android and can only re-create a workflow based on the available code snippets and the current implementation of password autofill.
However, it is still early days – and as in any development cycle, many things can change. Along those lines, we’ve made a recommendation to our contacts at Google, to help prevent Android users from being exposed to security risks similar to those we previously discovered for the Security Code AutoFill feature in iOS and macOS. We recommend against giving apps and websites control over whether to suggest to their users that security codes be auto-filled into a particular form field. There are two reasons for this:
- First, consider an attacker manipulating Android into suggesting to autofill a security code on a different webpage than where the code is intended. Such an attack vector could be used for phishing of 2FA security codes. These codes are commonly used to secure online accounts, including email and banking.
- Second, consider a transaction authorization scenario. In such a scenario, the SMS sent to the user contains context information (such as the amount being transferred in an online payment), which the user is supposed to verify before quoting the security code. If the autofill suggestion removes this salient context information when presenting the code, the user is effectively encouraged to autofill the code without first verifying the correctness of said context information. Such “code blindness” could facilitate Man-in-the-Middle and Man-in-the-Browser attacks.
Automatically inserting security codes from SMS into their intended destination form field would be a significant improvement to usability. Users would be relieved from switching apps to access security codes in their SMS application, copy or memorize it, and then switch back to the intended destination app or webpage and quote the security code. However, for autofill to be secure, the insertion must be made in the intended app or webpage, and the recipient must have an opportunity to read and verify salient context information beforehand.
We look forward to following developments at Google and the final outcome.
This article, originally published on 6 August 2019, first appeared on Bentham’s Gaze.