back to article Google password fill effort could kill Android malware's best tricks

Google may be paving the way to kill one of the few remaining avenues to compromise modern Android handsets in its bid to improve password security with a new open source API. The feature, dubbed OpenYOLO (You Only Log In Once), will allow users to permanently log into all apps by entering their password manager credentials …

  1. Sebastian A

    Didn't Lastpass just get compromised, losing users not just one password but all of them?

    Get your extra-large baskets here, perfect for all your eggs! Now with extra-shoddy handles!

    1. Andrew Jones 2

      Well then..... that'll be why Google is making the API open source so that ANY password manager can implement it and not just the high profile ones......

      1. Anonymous Coward
        Anonymous Coward

        Would that be one of those open APIs to a proprietary back-end, that is the hallmark of everything Google?

  2. lglethal Silver badge
    Go

    A bit light on details

    This article is a bit light on details - how does only ever signing in once improve security?

    Ok, I get that if you don't have to sign in multiple times, things like keyloggers cant grab your password. However, if your phone is stolen then the thief immediately has access to everything in your phone because your automatically logged into all of your apps. And I cant imagine it would be that hard to come up with a new type of malware that gets into your accounts because once it is installed on your phone, all the other apps are already logged in.

    So I'm really not getting the benefits here except maybe, maybe against keyloggers. Anyone able to provide more details?

    1. Lee D Silver badge

      Re: A bit light on details

      It does indeed sound stupid.

      And it harks back to making permissions be exactly what they say they are, and should always have been. Permitted or not.

      What this is saying is that apps have been getting permission to do things they never should have been allowed to do, and which users never allowed them to do, just by being installed. Google are (apparently) going to put a stop to that - not by denying the permissions that aren't explicitly granted - but by putting up a UAC-like PIN prompt on new permissions. Which is just stupid and inconvenient. And then they'll forever-remember that grant of permissions. How about, we deny by default unless you specifically allow a permission, and after initial install (ONE PROMPT on install, with customisable Yes/No permission options) you have to manually change the permissions for that app if you want it to work after that (might stop a few of those "this app suddenly wants to get on your Facebook with the latest update" junk) - or uninstall and then reinstall to get the first-time prompt.

      I love Android over its competition but app permission are, and always have been, bloody ridiculous on it. "This app wants all these permissions. Install it?" Where's my choice? How about "yes, install it, but a fun camera app doesn't need to sort through all my files and upload them to Facebook"? Then they added, much later on - almost a whole alphabet later on - the option to fake or revoke certain permissions.

      But still you can't stop malware being installed that sniffs the on-screen keyboard? That's still ridiculous. And at what point do I get the option to remove vendor-installed apps that don't have a remove button without rooting the device? Because if the manufacturer can do that, so can malware. And why can't I move ALL apps to the SD card still?

      This new "login once and I'll remember forever" doesn't solve any existing problem. Apps that aren't supposed to be sniffing the keyboard shouldn't be installed already, or bypassing the permission system. And apps that are given permissions never get that permission re-asked or revoked unless the user explicitly does that? It's just silly.

      Theft of the phone isn't a issue, however, as you should have a lock-screen PIN and encryption by default, and in that case it's game over for any thief unless they stole it while you were using it. And the various device manager apps can still forcibly wipe it, lock it, locate it, etc.

      More worrying is that they think the solution is having even less say in what authorised apps can or can't do over time. "You authorised it" isn't the security answer. The security answer is "What part of this do you want to authorise, when, how long for and do you want me to let the app know or should I just fake it so that it can't tell it hasn't got what it asked for?" Sure, hide that behind an advanced menu, don't baffle novice users, but taking a single authorisation as "this app can do what it likes in perpetuity" isn't security.

      "No, you can't access my camera, or use pay-for services - you're a fecking GPS compass app, for God's sake" is the correct answer.

      1. DaLo

        Re: A bit light on details

        Your post is full of inaccuracies. Android, since Marshmallow, allows individual permissions to be set for apps. For apps created to the Marshmallow API, it doesn't even need you to grant all permissions to install it. As the permission is first used you choose to allow or deny it and you can revoke it at any time (or from any non-Marshmallow apps). This renders 90% of your post moot.

        "...that sniffs the on-screen keyboard" There is also isn't an on screen keyboard. Anybody can create a keyboard, either as a system install one or directly in their app interface. Nobody wants a default Android keyboard that you can't change - look at the poor IOS one that they used to have. You can't run a keylogger on a system keyboard though unless rooted, but you can overwrite it or get the user to install one of the malware authors choosing and then do anything you want with the input - however this is by design and it does rely on the user not installing a system keyboard they don't trust.

    2. VinceH

      Re: A bit light on details

      "how does only ever signing in once improve security?"

      It doesn't - security and convenience have to be balanced; the more you have of one, the less you have of the other, and the trick is to get the balance right.

      ISTM the article is speculating on what other changes Google could make in future as a result of this "OpenYOLO" stuff: "may be paving the way to" ... "an underlying benefit could be" ... "It could feasibly allow"

    3. Andrew Jones 2

      Re: A bit light on details

      My understanding from the Dashlane blog post on the subject and also from Google's general stance on passwords is thus:

      Your phone should be secured - it's arguable that if your device is stolen and the lockscreen security defeated - it's probably game over at that point, locked password manager or not.

      The aim of the API is to encourage people who don't use password managers, to start using them - because far far far too many people are using the same username and password for everything, some might have 2 or 3 that they use - but the only way to get away from the risk of the seemingly daily onslaught of sites being hacked - is if it becomes a less valuable activity for hackers - so yes - they might break in and steal usernames and passwords of everyone, but if they are all unique logins for that site only and will not work anywhere else, then the value of the data plummets.

      It's all well and good in theory, but there are 2 things holding back "normal" users, the first and major pain point is that they find the idea of a password manager inconvenient and in same cases confusing, this prevents them from embracing the idea of having a unique login for every site.

      Not a lot is known about the API but I'd guess Google will probably go down the fingerprint / Biometrics route - possibly even trusted voice, and maybe trusted device.

  3. Anonymous Coward
    Anonymous Coward

    Oh yes, way to go Google..

    .. now you have to only steal ONE credential to gain access to the information of your victims users.

    If you really think Google has your best interests at heart, I may have a nice bridge to sell you, and some prime swampland..

    1. Mainway

      Re: Oh yes, way to go Google..

      Did you love the bit about how they fail to mention that people with a cheap non-android phone don't suffer from the same vulnerabilities? I'm very happy with my "Ken-Xin-Da" M3 Chinese Mobile phone, with no MMS, APN or WAP settings, but VOIP settings to dial IP to IP as standard and the option to password protect everything including your SMS and contacts from snoopers and no encryption is required because it's built into the firmware so to bypass it presumably they'd have to re-write the firmware, destroying said information in the process, as sold to Arabic countries world-wide hence the Arabic keypad!

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh yes, way to go Google..

        Those cheap phones would instead be pwned in the hardware...by the Chinese government. So they have no need for all that stuff, your phone is an open book to them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like