Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Autofill Framework support for Android 8.0 Oreo (enhancement) #9

Closed
rocketwidget opened this issue Sep 28, 2017 · 32 comments

Comments

@rocketwidget
Copy link

commented Sep 28, 2017

It would be great if devices on Oreo could add this feature designed for password managers: Thanks!

https://developer.android.com/guide/topics/text/autofill.html

@christianfl

This comment has been minimized.

Copy link

commented Nov 3, 2017

You don't need to write a "+1" comment, just give the creator of the issue a thumb up. It's not only unnecessary but also very annoying because every subscriber gets an e-mail for new comments.

@packy

This comment has been minimized.

Copy link

commented Nov 5, 2017

Just a note: you need to be viewing the desktop version of the page to be able to give the first comment on the issue a thumbs up (or any reaction, for that matter). That feature doesn't appear in the mobile version, which might be why people are commenting "+1": they didn't see a way to do what was requested.

At the bottom of the page, there's a link to view the desktop version. Once viewing that, look for the +SmileyFace icon in the upper right corner of the first comment on the post.

Repository owner deleted a comment from plumps Nov 13, 2017
Repository owner deleted a comment from stephenmgi Nov 13, 2017
@SohnyBohny

This comment has been minimized.

Copy link

commented Dec 27, 2017

Any news on this topic?

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Dec 27, 2017

working on it right now. Hope I can release a first version in beta channel during the next few weeks.

PhilippC pushed a commit that referenced this issue Dec 28, 2017
* upgraded target version to 26
* added service, parses autofill structure but does not yet retrieve/fill passwords
PhilippC pushed a commit that referenced this issue Dec 28, 2017
…).

Not yet implemented and/or tested: partitioning, autofill fields without hints, saving, filling of other fields than username or password, package signature verification, DAL
PhilippC pushed a commit that referenced this issue Dec 29, 2017
…oid/W3cHints, using all Keepass fields (if hints match field name). Make hint comparison code clearer and always compare case insensitive
PhilippC pushed a commit that referenced this issue Dec 29, 2017
PhilippC pushed a commit that referenced this issue Dec 30, 2017
… by detecting password fields and falling back to filling username/password if no autofill hint is available
PhilippC pushed a commit that referenced this issue Dec 31, 2017
@PhilippC

This comment has been minimized.

Copy link
Owner

commented Dec 31, 2017

I am currently uploading version 1.04-pre1 to beta channel. If you haven't done so already, please switch to beta channel (https://play.google.com/apps/testing/keepass2android.keepass2android) and also join the G+ community for beta testers (https://plus.google.com/communities/107293657110547776032).
You should get the 1.04-pre1 pretty soon then.

After upgrading, please enable the Kp2a Autofill service in Android's settings (On my Pixel phone: Settings -> System -> Language & Input -> Advanced -> Autofill service - or simply search for autofill in the settings).

You should then see a little popup when entering an autofill supported text field. If the target app does not use autofill hints, you might have to long-press and then select Autofill.

I have tested this with some apps, e.g. Instagram. It also works with Firefox Focus/Firefox Klar. It does not work with Google Chrome, at least not with the version 63.0.3239.111 which I have running here. This version does not yet support Android's Autofill API. Same for the regular Android Firefox browser.

If you experience any issues please let me know. If you feel KP2A should be able to autofill but doesn't, post here. Would be great if you could check if other autofill services (e.g. Lastpass) can autofill.

@SohnyBohny

This comment has been minimized.

Copy link

commented Dec 31, 2017

I love it ❤️

Thank you! - does work on OnePlus 3T

@SohnyBohny

This comment has been minimized.

Copy link

commented Dec 31, 2017

Would be cool if you implement saving data... 😜

@iamrogerr

This comment has been minimized.

Copy link

commented Dec 31, 2017

Autofill is working fine on Oreo, but KP2A never find automatically the app I'm trying to log in (I always need to use the search).
Example: I try to use autofill on Twitter. KP2A doesn't find my Twitter entry (because it searches for "com.twitter.android", and my entry is saved with the URL "https://twitter.com").
Enpass and Bitwarden work fine.

It's not a big problem though 😜 Thank you!

@daguej

This comment has been minimized.

Copy link

commented Dec 31, 2017

This is very exciting!

Noticed an issue: in the Amex app, it fills the password in the username field.

@mcarver2000

This comment has been minimized.

Copy link

commented Jan 1, 2018

Certain apps that don't appear to support autofill causes my Pixel C (Android 8.1.0) to crash & auto reboot. Bank of America, Consumer Cellular, Progressive Insurance are prime suspects. If I see the autofill prompt in apps, things work fine.

Edited: Found the culprit - forcing portrait only apps into landscape (using Rotation Control Pro). This doesn't happen if using Google for autofill. With KP2A the autofill prompt does not show and tapping in input field crashes instead of activating keyboard.

In the Progressive app https://play.google.com/store/apps/details?id=com.phonevalley.progressive, the password is used for the username.

@kabili207

This comment has been minimized.

Copy link

commented Jan 1, 2018

It doesn't seem to work with the PayPal app (https://play.google.com/store/apps/details?id=com.paypal.android.p2pmobile). I get the autofill option, but the password field is left blank. I'm not sure if this is an issue with KP2A or with PayPal.

Edit: added link to app

@CatalinCaranfil

This comment has been minimized.

Copy link

commented Jan 1, 2018

On Pixel2XL 8.1 this version is no longer able to open databases which previously could be opened - a very long message pops (which can not be captured with a screenshot) but it basically says Permission Denial ... you need to "obtain access using ACTION_OPEN_DOCUMENT or related APIs".

On OP3T with 7.x the same (I assume) new beta version works as before.

@mik9

This comment has been minimized.

Copy link

commented Jan 1, 2018

After QuickUnlock it asks about saving password but it shouldn't.

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Jan 2, 2018

@mcarver2000 can you please post links to play store. I didn't find any of these apps. I am also very surprised to hear anything causing a reboot - this sounds more like an OS or hardware problem. If you can collect a logcat, that might help as well.

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Jan 2, 2018

@CatalinCaranfil this happens after app upgrades sometimes and can be resolved by choosing "Change database" -> "Open database" -> reselect the database file.

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Jan 2, 2018

@daguej I have analyzed this. The Amex app incorrectly has the TYPE_TEXT_VARIATION_PASSWORD flag set on the username field. I have contacted their support to see if they can fix this.

@bungabunga

This comment has been minimized.

Copy link

commented Jan 2, 2018

@PhilippC could you also make Keepass2android Offline available as beta with autofill or would that mean too much additional work?

PhilippC pushed a commit that referenced this issue Jan 2, 2018
@jgillies

This comment has been minimized.

Copy link

commented Jan 2, 2018

@PhilippC this app is also putting the password in the username field: https://play.google.com/store/apps/details?id=org.nyulmc.clinical.mychart&hl=en. I'd be happy to reach out to them to ask for a fix, but I'm not sure how to verify that they're also using the TYPE_TEXT_VARIATION_PASSWORD flag incorrectly.

@havealoha

This comment has been minimized.

Copy link

commented Jan 3, 2018

I use field references https://keepass.info/help/base/fieldrefs.html but autofill is not resolving them correctly. Here is a screenshot of that on my pixel xl 8.1.0 using pulse secure and KP2A 1.4
screenshot_20180102-230343

@mcarver2000

This comment has been minimized.

Copy link

commented Jan 3, 2018

Found the culprit - forcing portrait only apps into landscape (using Rotation Control Pro). This doesn't happen if using Google for autofill. With KP2A the autofill prompt does not show and tapping in input field crashes the tablet instead of activating keyboard. This is not a issue (forcing landscape) unless KP2A is set for autofill.

In the Progressive app https://play.google.com/store/apps/details?id=com.phonevalley.progressive, the password is used for the username.

@the-felipeal

This comment has been minimized.

Copy link

commented Jan 4, 2018

Hi @PhilippC,

Glad to hear you're working on it, let me know if you need help (I'm the lead engineer on the Android Autofill Framework project).

Here are a few replies for some of the comments above, in no particular order:

  • @mcarver2000 "forcing portrait only apps into landscape (using Rotation Control Pro). This doesn't happen if using Google for autofil. With KP2A the autofill prompt does not show and tapping in input field crashes the tablet instead of activating keyboard.": regardless of the autofill service being used, it shouldn't crash the system - if it does, it's a bug in the framework :-(. Which version of Android you're using, 8.0, or 8.1? If it's still crashing on 8.1, could you please report a bug and link it here?

  • @iamrogerr "I try to use autofill on Twitter. KP2A doesn't find my Twitter entry (because it searches for "com.twitter.android", and my entry is saved with the URL "https://twitter.com").". The solution for this problem is to use Digital Asset Links to map the URL to the app, or provide an UI (using dataset authentication) to let the user confirm the mapping (as documented here). You can see an example of using DAL for that purpose on our official sample.

  • @kabili207 "It doesn't seem to work with the PayPal app" - this is probably a keepass2android issue, as I managed to get my forked version of the sample service to work with PayPal.

  • @PhilippC "I'd be happy to reach out to them to ask for a fix" - if you reach out to a 3rd party developer to ask them to support autofill, could you please refer them to the official documentation, in particular the "Providing hints for autofill" and "Test your app with autofill" sections?

Finally, we recently added a "Building autofill services" guide - it's not complete yet, so any feedback is welcome.

Best Regards,

-- Felipe

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Jan 4, 2018

Thanks for all the feedback during the last days! I have improved the implementation, next update will be available in the beta channel shortly!

Here's what I did:

  • The last opened entry is remembered and displayed as an additional list option alongside the "Fill with Keepass2Android" option. This simplifies entering partitioned data, it also provides a way to input data to the PayPal app (see comment by @kabili207).
  • If no data is available for autofill but is manually entered, KP2A can now save the data (as mentioned by @SohnyBohny )
  • Changed heuristics which fields are username fields. While I believe that the previous heuristics were "more correct", it seems like the new heuristics are working better, e.g. with the Amex app as reported by @daguej. @mcarver2000 can you please check with the Progressive Insurance app, it's not available in Germany. @jgillies can you please check if it helps with the app you mentioned? That's also not available here (and thus I can't take a closer look).
  • field references are resolved (pointed out by @havealoha)
  • Autofill can be enabled through KP2A's preferences. If it is not enabled, a message is displayed in the group view to do so.

@iamrogerr: The way to resolve this at the moment is simply to select the dataset once "manually" (from the screen which says that no results were found). You should then see a question if KP2A should remember this entry for this query. If you agree, it will work next time.

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Jan 4, 2018

Hi @the-felipeal,
it's great to see you're watching this issue and contribute to it! Here are a few comments to the points you mentioned:

  • DAL will not be implemented in KP2A for the first release of Autofill, but KP2A has had support for storing domains and package names in one entry for a long time, so I think this won't be required at the moment (BTW the twitter app does not provide a WebDomain, so I don't think DAL would work here, right?)
  • I tried the PayPal app with your forked service and it is the same as I have described on this stackoverflow question: As soon as I enable dataset authentication, your service fails as well! Maybe we can continue the discussion on stackoverflow?
PhilippC pushed a commit that referenced this issue Jan 4, 2018
…d before a password field as username field. Even though this seems to make less sense, it works better with several apps; decode field references for AutoFill; display item in preferences for Autofill (#9)
@the-felipeal

This comment has been minimized.

Copy link

commented Jan 4, 2018

Hi Philipp,

Ideally, you should use DAL to avoid phishing, as storing just the domain and package doesn't guarantee the app installed in the device is legitimate. Similarly, when you save credentials associated with a package, you should save its certificate hash as well, so you can verify it when autofilling (as described in the "Package Verification" section).

If you're not using DAL to check the certificates, then I'd suggest using dataset authentication to show a dialog warning the user; something like "Do you want to fill app Example App with your credentials from https://example.com?". Then if the user agrees, you could store the certificate hash on KP2A to avoid asking again in the future. You could also take this approach if (or when :-) you implement package verification, so you can "fix" the existing K2PA database with certificate hash of the app the user is trusting to autofill.

Twitter, in particular, uses DAL - you can check its JSON file directly, or use Google's DAL API (example). It does not set a WebDomain property in the ViewNode because it does not use WebView. So, if the user is only using K2PA on Android, then you wouldn't need to worry about DAL (for Twitter), as you should be saving / restoring the credentials associated with the app (identified by package + certificate hash); DAL would only be useful in this case if the user is using K2PA on desktop or other places where the credentials are associated with Twitter's website.

Regarding the PayPal issue with dataset authentication, it's a known WebView issue that has been fixed on Chrome M64. You can verify it's fixed by installing a newer Chrome and changing the default WebView implementation through Settings -> Developer Options.

-- Felipe

@mcarver2000

This comment has been minimized.

Copy link

commented Jan 5, 2018

The heuristics change fixed the issue with the Progressive app. This app appears to treat the username field as a password in that keyboards do not show/predict what is being input.

@mcarver2000

This comment has been minimized.

Copy link

commented Jan 5, 2018

@the-felipeal Android version 8.1.0 - I was incorrect however about the device crash/reboot only happening with KP2A. If Google is set for autofill, portrait-only apps forced to landscape will crash/reboot the device.

I don't have permission to create a bug at Issue Tracker. Here are the details:

Autofill causes a system crash/reboot if the app is a portrait-only app forced into landscape. Using an app (I am using Rotation Control Pro) to rotate apps to match the device's orientation (landscape) and opening portrait-only app https://play.google.com/store/apps/details?id=com.phonevalley.progressive Autofill crashes the system forcing a reboot. Other portrait-only apps replicate this (PayPal, Bank of America, Consumer Cellular, etc.). If the app supports landscape mode, Autofill works with no issues.

Device: Pixel C
Android version 8.1.0 (stock)

@jgillies

This comment has been minimized.

Copy link

commented Jan 5, 2018

@PhilippC your changes fixed the issue with the app I was referencing. Thanks!

@the-felipeal

This comment has been minimized.

Copy link

commented Jan 5, 2018

@mcarver2000 could you please file a bug with the reproducible steps and link it here?

@mcarver2000

This comment has been minimized.

Copy link

commented Jan 5, 2018

@the-felipeal Bug report submitted https://issuetracker.google.com/issues/71637394.

Note: I tried earlier today, but could not create the report. Just didn't click the correct link or wrong browser (I guess).

@jakejoh

This comment has been minimized.

Copy link

commented Jan 11, 2018

A couple of websites in Firefox Focus do not work (just get something similar to "cannot fill" (in German). Examples are GitHub and Twitter. Facebook e.g. is working like a charm.
Also, autofill isn't working in Microsoft office apps at all, but I guess that's their fault (using the browser to login).

Edit: I manually updated to WebView 63 and it seems to work now, at least for Firefox Focus.

@havealoha

This comment has been minimized.

Copy link

commented Jan 18, 2018

I can confirm that the field references are now resolving but for Pulse Secure 6.6.0, the autofill service is putting the user name into both the user name field and the password field.

@PhilippC

This comment has been minimized.

Copy link
Owner

commented Jan 22, 2018

while there are definitely possibilities to improve, I am closing this as the current implementation is ready for release. If you have further requests on the topic, please open new issues.

@PhilippC PhilippC closed this Jan 22, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.