Cybersecurity has become one of the most important and constantly evolving areas in the IT and technology industry. Faulty security has resulted in immense losses to the global economy. Oftentimes, the pitfall in such financial loss is due to the security of passwords, since they are considered the first line of defense against cyber threats. This is the reason why it is important to create and store strong and secure passwords. Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file.
The purpose of this project is to decompile and analyse five popular password managers on Android platform: Keeper, NordPass, LastPass, Bitwarden and 1Password. The analysis includes both static and dynamic methods to evaluate the security of the master password and the derived keys. The report provides detailed information about each password manager, including the methodology used for the analysis, the vulnerabilities identified, and the potential impact on user security.
The analysis used a combination of static and dynamic methods to evaluate the security of the password managers.
Static analysisinvolved examining the source code of each password manager to identify any vulnerabilities.Dynamic analysisinvolved running each password manager on an Android emulator and monitoring the network traffic to identify any potential security issues.
The following password managers were analyzed in this report:
The following tools and environment were used for the analysis:
- Genymotion: to run the Android emulator for dynamic analysis
- Apktool: to decompile the APK files
- ADB: to install the APK files on the emulator and extract data from the devices
- Dex2Jar: to convert the DEX files to JAR files for static analysis
- Burpsuite: to intercept and analyze network traffic during dynamic analysis
- Jadx: to decompile the JAR files for static analysis
- OpenSSL: to generate and manage cryptographic keys for analysis
- Objection: to perform runtime manipulation of the password managers during dynamic analysis
- Frida: to perform dynamic analysis on the password managers
The full report is available in the PDF file located in this repository. The report contains detailed information about each password manager, the methodology used for the analysis, the vulnerabilities identified, and recommendations for improving security.
The purpose of this analysis is to identify potential security issues with password managers on the Android platform. This analysis is not intended to be a comprehensive review of each password manager's security features, and the results should not be used as the sole basis for selecting a password manager. Users should always exercise caution when using any password manager and take additional security measures, such as enabling two-factor authentication, to protect their accounts.
This project is licensed under the MIT License - see the License file for details.