The Emperor's New Autofill Framework: A Security Analysis of Autofill on iOS and Android

Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks that are designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we conduct the first holistic security evaluation of such frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues (e.g., requiring user interaction before autofill), they also enforce insecure behavior and fail to provide the password managers implemented using the frameworks with sufficient information to override this incorrect behavior. Within mobile browsers, this results in managers being less secure than their desktop counterparts. Within apps, incorrect handling of WebView controls leads to manager-assisted phishing attacks from malicious apps or domains, depending on how autofill is implemented. Based on our results, significant improvements are needed for mobile autofill frameworks and we conclude the paper with concrete recommendations for the design and implementation of more secure autofill frameworks.