Passwords just got more secure for Android users

Perhaps the greatest weakness of password managers is that they can't work directly with mobile apps. That changed recently when LastPass announced support for app autofill on Android.
Written by Larry Seltzer, Contributor

Passwords are a big problem. They can be made very secure, but only by making them unusable. To use passwords securely, you need to make them complex, not reuse them on different sites and change them periodically. Humans can't do that by themselves. That's why password managers were invented.

This week LastPass, one of the major companies in the password manager business, made an announcement that fills in one of the last great gaps in password management: compatibility with mobile apps and browsers.

Password managers keep all the user's usernames, passwords and the sites for which they are used, in a strongly-secured database. When the user accesses one of those sites, the password manager fills the appropriate fields and logs the user in. This arrangement means the user only has to remember one very strong username and password for the password manager itself, and then passwords for the sites can be unique and random. Password managers will also generate strong passwords and some, like LastPass, support two-factor authentication for access to the database.

There has been one glaring hole in this arrangement until now: mobile apps and browsers. Mobile operating systems have stronger security designs than desktops, and generally prevent one app from directly accessing the data of another, as password managers do with login forms.

So users of password managers and mobile apps have to manually go to the password manager, copy the username and password to the clipboard and switch back to the app and paste them into the appropriate fields. And since there's just one clipboard you may have to do this twice. LastPass also comes with their own mobile browser, based on the free, open source Dolphin browser, because they couldn't stuff fields in Google's Chrome.

Until now.

The latest version of LastPass for Android can work with mobile apps and other browsers very much like it does on a PC. When you get to a login screen on an app, LastPass pops up to offer you the appropriate login.

It's not quite as polished as it is on desktops. Sometimes you have to touch in the login field before LastPass pops up. Some sites make things difficult by marking the fields as non-editable. But these are the exception rather than the rule, and they tend to go away as companies like LastPass reach out to the sites about the problems.

I hadn't noticed it, but changes in Android recently made this possible. The new LastPass feature requires Android 4.1 or later and, for Chrome support, Android 4.3 or later. Android 4.1, as ZDNet described at the time, had new:

    Accessibility APIs. Enhanced APIs allow handicapped users to do gesture based traversal of all onscreen elements. Text reading is supported by word, line, or paragraph. Custom views with extra semantic structure can be explained to the API so it can do a better job of accessibility.

The point was that accessibility apps could have access to content to allow, for instance, for spoken input. But it seems that this opens the door for password managers as well.

LastPass uses the Android Accessibility APIs to stuff usernames and passwords into login fields.

With iOS 7, Apple began to address this same issue by building a password manager of sorts into iCloud. It requires reworking by software, which should work out over time, but the bigger problem is that it's Apple-only. Unless you are an Apple-only user, it's not an option. (I have asked LastPass if perhaps they could build a synchronization service with the iCloud passwords, but they haven't responded and it would be a little early to build any such service.)

I was just thinking the other day about how I'm getting tired of some aspects of Android (particularly Samsung's adulterated distribution of it), and I've wanted to switch to Windows Phone for some time. Now I'm not so sure. If I can have full password manager control in Android, suddenly it's a whole lot more attractive.

Below is a LastPass video about the new feature:

Editorial standards