Google password fill effort could kill Android malware’s best tricks


Google may be paving the way to kill one of the few remaining avenues to compromise modern Android handsets in its bid to improve password security with a new open source API.

The feature, dubbed OpenYOLO (You Only Log In Once), will allow users to permanently log into all apps by entering their password manager credentials once.

Users who have turned up security settings must log into their password managers each time to access applications in what is a minor inconvenience.

The initiative is being sold as one that will make sign-in seamless.

Password management outfit Dashlane’s community manager Malaika Nicholas says the company is working with “… other top password management companies, who will contribute their unique security and software development expertise to improve the design and implementation of this open API.”

However an underlying benefit could be in the reduced use of special permissions on the latest Android platforms version five Lollipop and version six Marshmallow.

It could feasibly allow Google to better lock down the controls behind security PIN screens, frustrating malware writers’ efforts to trick users.

Platforms like LastPass and Dashlane require users to approve permissions including application filling and draw-over-apps in order to insert passwords in third party apps.

Those same features are used by modern malware to gain powerful abilities to spy on applications and steal login information.

Skycure security researcher Yair Amit chained research to demonstrate how malware writers can use basic games to trick users into approving the permissions.

Others have warned of the rise of screen overlay -abusing malware. IBM’s Limor Kessem has found one offering fetching up to US$15,000 increasing its price from US$5000. ®

363 total views, 1 views today