Improve experience with autofill services

[CueHD]

I have both K-9 Mail and Keepass2Android installed. After entering the Account Settings...Fetching mail...Incoming Server settings but not changing anything, I pressed the back button. At this point Keepass2Android offered to save my password. If I accept, the password is transferred into Keepass2Android to save.

The interface of K-9 Mail on the settings screen only shows dots in the password field. Also, the password may not be highlighted and copied using the normal Android interface. So, I assume that the intent is to not expose saved passwords.

Security bug: The password is exposed.

I do not think this is a problem with Keepass2Android since the purpose of that software as a password manager is to save passwords from other applications. Though, I would not expect it to be able to fetch previously entered passwords.

Expected behavior

Nothing. The password should not be exposed unless it is being freshly entered.

Actual behavior

The previously saved password was found by Keepass2Android.

Steps to reproduce

1. Ensure that Keepass2Android (or potentially other password managers) are installed and properly configured
2. Enter a K-9 server settings page that has a previously saved password
3. Press the back button

Environment

K-9 Mail version: 5.600

Android version: 8.0.0

Account type (IMAP, POP3, WebDAV/Exchange): IMAP

Keepass2Android version: 1.05d

[cketti]

This is not a security issue. The password is only "exposed" to apps you have given special permission to extract passwords from other apps.

However, we can probably improve the experience with autofill services. See https://developer.android.com/guide/topics/text/autofill-optimize