back to article Boffins bypass password protection with pilfering by phony programs

Password managers on mobile devices can be tricked by imposter apps into handing over a user's passwords. This according to a paper [PDF] from researchers with the University of Genoa and EURECOM, who found that the Android Instant Apps feature is designed and can ask for, and receive, stored credentials from password managers …

  1. malle-herbert Silver badge

    And still...

    My bank insists that banking through their mobile App is perfectly safe...

    1. DropBear Silver badge

      Re: And still...

      As with most disagreements, it can be reduced to one of differing definitions. "Has perfect resistance against any and all attacks and exploits" vs. "could easily pass for Swiss cheese but we hardly ever - if at all - see it abused in practice".

    2. VinceH Silver badge

      Re: And still...

      It is perfectly safe for them. After all, if anything happens it'll be YOU who allowed something to run on the device and which pilfered your passwords, and thence your money.

  2. Mage Silver badge
    Black Helicopters

    Not news?

    Trojans first delivered by reel tape to mainframe owners as demo programs or utilities (apps).

    I'm thinking it's a problem that's not going to go away. Even if dialogs popup people just click on OK. Almost all PC infections are aided by the user "installing".

    There isn't the economic necessity for Google to even try very hard to vet apps for store. Besides it's probably not possible to stop cleverly written Trojans.

  3. Stuart Castle

    I'm a bit confused as to your conclusion. Are you saying that Google shouldn't even try? No security system is perfect. Take the average Front door. It might have a bolt, a lock and a yale or chubb lock on it. It's going to stop most people getting in, but there is always the odd person who is willing to try something a little different, like a crow bar or a well placed boot. Does that mean you don't bother installing locks on your door? Even those locks used in high security places such as bank vaults have vulnerabilities.

    My Software Engineering Management lecturer (who even when I did my degree 20 years ago, tried to teach us to design security into our systems) always said there is an old maxim in security. It is "Security, Features, Usability: Pick two". He also used to tell us that all security is a sort of best effort thing (my words, not his). Perfect security is currently impossible, and he used to like to joke that the person who invented the perfect security system would become very wealthy very quickly.

    I think Google need to monitor the app store, but while any verification process they implement will catch a lot of nasties, it's going to miss some (even Apple's system misses some), and people should not consider it a good replacement for the question "Do I *really* need to install this program?", or "Does this program really need the rights it's asking for?"

    1. Anonymous Coward
      Anonymous Coward

      "Are you saying that Google shouldn't even try?"

      My understanding of the article is the opposite conclusion. Google has effectively left the door wide open and absolutely should try harder by making it easier to identify apps correctly. They are the gatekeepers to the Android ecosystem and have to be more responsible about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019