A vulnerability within Android 8.0 Oreo's Autofill API was recently reported in a white paper published on GitHub. The Autofill API was one of the highly anticipated features within the Oreo release, because the move to API access to autofill functionality greatly increased the speed in comparison to the legacy autofill method (i.e. via Accessibility Services). While the API strategy may have improved on lag, the Autofill API exposes users to requests from invisible or hidden widgets.
"Given this flaw, a malicious activity could obtain data that the user does not realize will go to that activity," the white paper reports. "For example, the activity might have a field for the user to confirm their postal code and have hidden widgets that collect other data, such as the rest of the address, credit card details, usernames/passphrases, etc."
According to the white paper, Google is aware of the flaw and does not have a fix; rather, the fix currently rests in the hands of autofill service providers. XDA reached out to three such service providers (i.e. 1Password, Enpass, and LastPass) regarding the vulnerability. All three responded reassuring that their services remain secure despite the potential Autofill API vulnerability.
As mentioned, the vulnerability itself stems from the ability of a widget to hide itself. Widgets can hide via four methods:
- The widget is marked as invisible (android:visibility="invisible")
- The widget has no size (width and height of 0dp) or is impossibly tiny (width and height of 1dp)
- The widget has negative margins that cause it to display off-screen
- The widget is behind an opaque widget (on the Z axis), so the widget cannot be seen.
While Google's public response to the issue is limited, Google has suggested partitioning the dataset as a best practice. This includes, first, clustering the autofill hints into partitions; and second, hand back data one partition at a time. For specific details on the vulnerability, and potential action items, check out the white paper at GitHub.