Passwords just got more secure for Android users

Passwords just got more secure for Android users

Summary: Perhaps the greatest weakness of password managers is that they can't work directly with mobile apps. That changed recently when LastPass announced support for app autofill on Android.


Passwords are a big problem. They can be made very secure, but only by making them unusable. To use passwords securely, you need to make them complex, not reuse them on different sites and change them periodically. Humans can't do that by themselves. That's why password managers were invented.

This week LastPass, one of the major companies in the password manager business, made an announcement that fills in one of the last great gaps in password management: compatibility with mobile apps and browsers.

Password managers keep all the user's usernames, passwords and the sites for which they are used, in a strongly-secured database. When the user accesses one of those sites, the password manager fills the appropriate fields and logs the user in. This arrangement means the user only has to remember one very strong username and password for the password manager itself, and then passwords for the sites can be unique and random. Password managers will also generate strong passwords and some, like LastPass, support two-factor authentication for access to the database.

There has been one glaring hole in this arrangement until now: mobile apps and browsers. Mobile operating systems have stronger security designs than desktops, and generally prevent one app from directly accessing the data of another, as password managers do with login forms.

So users of password managers and mobile apps have to manually go to the password manager, copy the username and password to the clipboard and switch back to the app and paste them into the appropriate fields. And since there's just one clipboard you may have to do this twice. LastPass also comes with their own mobile browser, based on the free, open source Dolphin browser, because they couldn't stuff fields in Google's Chrome.

Until now.

The latest version of LastPass for Android can work with mobile apps and other browsers very much like it does on a PC. When you get to a login screen on an app, LastPass pops up to offer you the appropriate login.

It's not quite as polished as it is on desktops. Sometimes you have to touch in the login field before LastPass pops up. Some sites make things difficult by marking the fields as non-editable. But these are the exception rather than the rule, and they tend to go away as companies like LastPass reach out to the sites about the problems.

I hadn't noticed it, but changes in Android recently made this possible. The new LastPass feature requires Android 4.1 or later and, for Chrome support, Android 4.3 or later. Android 4.1, as ZDNet described at the time, had new:

    Accessibility APIs. Enhanced APIs allow handicapped users to do gesture based traversal of all onscreen elements. Text reading is supported by word, line, or paragraph. Custom views with extra semantic structure can be explained to the API so it can do a better job of accessibility.

The point was that accessibility apps could have access to content to allow, for instance, for spoken input. But it seems that this opens the door for password managers as well.

LastPass uses the Android Accessibility APIs to stuff usernames and passwords into login fields.

With iOS 7, Apple began to address this same issue by building a password manager of sorts into iCloud. It requires reworking by software, which should work out over time, but the bigger problem is that it's Apple-only. Unless you are an Apple-only user, it's not an option. (I have asked LastPass if perhaps they could build a synchronization service with the iCloud passwords, but they haven't responded and it would be a little early to build any such service.)

I was just thinking the other day about how I'm getting tired of some aspects of Android (particularly Samsung's adulterated distribution of it), and I've wanted to switch to Windows Phone for some time. Now I'm not so sure. If I can have full password manager control in Android, suddenly it's a whole lot more attractive.

Below is a LastPass video about the new feature:

Topics: Security, Android, Mobile OS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Adulterated

    All versions of Android available on consumer devices are as you put it, adulterated. Even Nexus devices don't run a stock, AOSP, version of Android.
    • Not really...

      By definition Google Nexus devices run Android as Google intended it. However it may vary slightly from the Android made available to third parties. For example, the Google Now launcher was available on the Nexus 5 before it appeared in the Play Store.
    • The author is correct in noting that Samsung's version is a pain

      I just switched from Samsung to an LG running Kit Kat, the experience is much better.

      I was frustrated with Android for awhile now, but it seems that this was due to Samsung, not Google.
      • Gotta Mod

        I have a Nexus 7 running Kit Kat 4.4.3 and I'm not terribly fond of it either, although it's a way better interface than Samsung's TouchWiz. One of these days when the opportunity is right I'll put Cyanogenmod on my Galaxy S4.
        • May I recommend omnirom

          It's by a number of the former contributors to Cyanogen who didn't go pro.
          Very nice and stable, with a few (optional) great additional features.
          Custom ROM support is actually one of my purchasing criteria now :)
          • thanks, but...

            "going pro" doesn't bother me and CM is soooo much easier to install
        • Just install a custom launcher

          Most of the time people are just frustrated with the UI and a custom launcher like Nova Launcher greatly improves the UI. It also allows you to turn off visualizations that cause UI lag.
          Rann Xeroxx
  • iCab Mobile

    For iOS users, there's always iCab Mobile. Has built-in support for LastPass, Dropbox, and a bunch of other stuff.
  • Secure is relative in Android

    From Google possibly spying on users, to havibg over 96% of Malware on Android phones. From a security standpoint, Apple and Google still trail BlackBerry by leaps and bounds
    • Oh really?

      What makes you think BlackBerry isn't spying on your traffic in service to Canada's hegemonic ambitions?

      Seriously, BlackBerry is certainly very secure, but so is Apple. Android is clearly the least of the three (of the four if you count Windows Phone), but if you stick with Google Play and name-brand apps you're as safe as you need to be.
    • Only use Google Play

      0.1% of the malware came from Google Play so as long as you stay away from pirated games and apps you are safe from malware.
      • Not entirely

        But it makes sense to choose one's non-Google repositories with care.
        John L. Ries
        • Like when?

          As an english speaker I've never found a good reason to go out of Play. There was at least a point when the selection of apps supporting other languages wasn't as good as in 3rd party stores so that may be a good reason.
      • 0.001%

        I'm afraid you are mistaken. The actual penetration is 0.001%. Not 0.1%.
  • PasswordBox is ahead of Lastpass

    I have been looking for this capability. I stick with Roboform even though it does not fill apps. PasswordBox does and uses the alternate keyboard/input function. This makes it compatible with older Android. I will try Lastpass though.
    • Interesting, but...

      This rings a bell. I have heard of the keyboard method for dealing with this problem. The problem with it is that you need to use their keyboard and I love Swype. I guess partnerships between such companies could be useful.
      • PasswordBox updated

        I just rechecked PasswordBox and it now uses the accessibility approach too. I do not recall when it updated. I remember it's keyboard had a key to switch to another input handler you specify in settings. I also have a preference in hacker's keyboard.

        I have a few apps that clear the login when they are no longer the focus. I have to manually enter the username and paste the password. Time to compare Lastpass and passwordbox.
        • are you sure?

          I checked PasswordBox just now and it's not at all clear to me that they are using the same approach. I get the feeling from the site that it's all still just the keyboard. I'll ask them about it directly
  • LastPass is great but...

    ... I don't want to pay a service fee (even if it's just $1/month). I'd rather just pay a flat fee up front for an app. It's my password manager for Firefox on the desktop. But on my phone I use Keepass2Android Password Safe.
  • Passwords just got more secure for Android users

    It's been more secure for quite a while now... it's called Roboform, and they've been doing this for over a year, and they have a Dauphin plugin.