Ankit Gangwal and his students Shubham Singh and Abhijeet Srivastava were awarded the best paper award for their research work on AutoSpill: Credential Leakage from Mobile Password Managers at Proceedings of the 13th ACM Conference on Data and Application Security and Privacy (ACM CODASPY 2023) held at Charlotte, USA from 24 – 26 April.

Research work as explained by authors:

Password managers (PMs) are becoming increasingly popular on mobile devices, especially on small-screen devices, mainly due to the convenience of automatically filling credentials into login forms. Modern mobile OSes advocate for system-wide autofill frameworks to support autofilling on browsers as well as other apps. Mobile OSes also empower apps to directly render web content within WebView controls without redirecting users to the main browser. \par We present a novel technique, called AutoSpill, to leak users’ saved credentials during an autofill operation on a webpage loaded into an app’s WebView. AutoSpill conveniently dodges the secure autofill process. The majority of popular Android PMs considered in our experiments were found vulnerable to AutoSpill; even when the app hosting the WebView is not actively participating in the leak. Android intermediates in the autofill process because of its app sandboxing. Hence, the responsibility for any credential leakage is often stranded between PMs and the Android system. We investigate the root causes of AutoSpill and propose countermeasures to fundamentally fix AutoSpill for both the parties. We responsibly disclosed our findings to the affected PMs and Android security team.

With rapid global penetration of the Internet and smartphones and the resulting productivity and social gains, the world is becoming increasingly dependent on its cyber infrastructure. Criminals, spies and predators of all kinds have learned to exploit this landscape much quicker than defenders have advanced in their technologies. Security and Privacy has become an essential concern of applications and systems throughout their lifecycle. Security concerns have rapidly moved up the software stack as the internet and web have matured. The security, privacy, functionality, cost and usability trade-offs necessary in any practical system can only be effectively achieved at the data and application layers. This conference provided a dedicated venue for high-quality research in this arena, and fostered a community with this focus in cyber security.

May 2023