Project

General

Profile

Actions

Bug #736

closed

AutoFill not working when targeting recent versions of Android

Added by JB Hétier about 3 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Next Release
Start date:
06/07/2021
Due date:
% Done:

0%

Estimated time:

Description

Hello,

I am using a password manager (KeePassDX) that is able to AutoFill password using Android native feature for form login.

Unfortunately it doesn't work well with Privacy Browser. Sometimes I get the AutoFill popup, but more often than not, it simply doesn't come up.

Other browsers I tried work fine (at least I tried LineageOS' default browser Jelly, and Firefox).
Some browsers seem to be facing issues (https://github.com/Kunzisoft/KeePassDX/wiki/AutoFill#web-browser)

I would love it if my go-to browser were compatible ;)


Files

Actions #1

Updated by Soren Stoutner about 3 years ago

  • Status changed from New to Closed
  • Assignee set to Soren Stoutner

WebView supports autofill in native mode. As you can see, all the browsers based on WebView in the list on the link you shared (Lightning, FOSS Browser) are listed as having native support.

I am doing nothing to prevent autofill from working in Privacy Browser. I also have no way of fixing any autofill bugs, as any problems would exist either in the code for WebView or in the code for KeePassDX's autofill implementation.

I would recommend making sure you have the latest version of WebView installed.

Updated by JB Hétier about 3 years ago

I just tried with FOSS Browser and Lightning and it works.
The behavior is indeed different as you can see in the two screen captures. I took motogp.com as an example but it's the same on every site I tried.
I tried switching Privacy Browser to a "light" theme as it was the only obvious difference.

I am sorry insist, but there seems to be an issue in Privacy Browser.

Actions #3

Updated by Soren Stoutner about 3 years ago

Looking at the screenshots you posted, I would guess that, at a minimum, you would need to enable JavaScript, maybe enable DOM storage, and possible disable some of the blocklists for the password manager to integrate with the WebView.

Along those lines, I would recommend you read the following URL regarding the negative security and privacy implications of integrating a password manager with a web browser: https://lock.cmpxchg8b.com/passmgrs.html

Actions #4

Updated by JB Hétier about 3 years ago

Thanks for the feedback.

Unfortunately, enabling DOM storage and disabling blacklist does not help.

Thanks for the article as well. I am not sure what the best solution is to manage passwords but I feel relatively safe using KeePass. On my computer, I use an autotype feature accessed with a keyboard shortcut. There is no manipulation of the DOM whatsoever, just keyboard strokes. On my phone, I currently have to copy passwords to the clipboard and I feel quite uneasy doing this. The AutoFill feature feels like a good feature to me as it is native, though I am not tech-savvy enough to say if it’s using the Webview trusted UI or if it is interacting with the DOM. However, I know that the password is filled only after an explicit interaction with KeePassDC so I feel the risk of a password leak is somehow limited.

Cookie “pinning” as I suggested in issue #245 (https://redmine.stoutner.com/issues/245) would be a good alternative I guess, as I only interact with less than 10 logged-in websites on a weekly basis, but still, I believe AutoFill would be a great way to improve the process of logging into a website.

Actions #5

Updated by Soren Stoutner about 3 years ago

I use KeePass as well, although a different app. However, I feel that integrating a password manager with a web browser is a privacy and security liability, and I am unlikely to spend any time trying to make it work with Privacy Browser.

Actions #6

Updated by JB Hétier about 3 years ago

I understand, it’s ok.
Just to be curious, what is your workflow? Do you copy-paste?

Actions #7

Updated by Soren Stoutner about 3 years ago

Copy and paste has significant security and privacy concerns as well.

My workflow is as follows on both desktop and mobile.

1. My browser never saves cookies or any login information.
2. I use passphrases instead of passwords. Basically the passwords are sentences. The passphrases are usually something that is easy to remember relating to the website in question. So, for Google, it might be something along the lines of "Google is on the naughty list." Think https://xkcd.com/936/.
3. I rarely need to open my password manager. If I am visiting a website I don't use often, I open the password manager to remind myself what the password is. Then I close the password manager, go back to the website, and type the password.
4. For sensitive webpages that support it, I also use time-based OTP codes, which are calculated using andOTP. https://f-droid.org/en/packages/org.shadowice.flocke.andotp/

Actions #8

Updated by JB Hétier about 3 years ago

Thanks a lot. I currently use totally random passwords. I'll consider changing that.

Actions #9

Updated by Soren Stoutner almost 3 years ago

If you haven't already, you might try enabling screenshots in the settings. I don't know if it matters, but it is possible that autofill requires that other apps be able to see Privacy Browser's screen.

Actions #10

Updated by JB Hétier almost 3 years ago

Hello,
Thanks for the idea.
I played around with most settings (dark theme, top/bottom URL bar, fullscreen, etc.) without luck.
Strangely the autofill sometimes work. I found that having the database unlocked in KeePassDX helps but still, it's pretty random.

Actions #11

Updated by ask low 8 months ago

Same here. Bitwarden has this autofill button that overlays beside textbox. Sometimes the button appears, but mostly it doesn't. The workaround is, I switch to home, then back to browser. Then into the textbox, the button appears (which is totally weird).

Btw, this is not at all native android autofill functionality. This works based on the overlay mechanism, where you access your password manager & select the entry. Then bitwarden fills the text fields automatically for you.

As far as the keepass or other pass managers concerned, @JB is right about this. Native autofill doesn't work on PB with any pass managers. I've tested Bitwarden, ProtonPass & KeepassDX without success. Strangely, all of them work on other browsers such as FOSS browser, Lightning, Mullvad, etc.

And @Soren Stoutner, #1094 is a duplicate of this. You should reopen this issue & close that one.

Actions #12

Updated by ask low 8 months ago

@Soren Stoutner Btw, my opinion is, that the passphrases are no different than passwords (randomized alphanumeric symbols with 16+ chars), unless you also implement some form of cipher methods on them, such as symmetric cipher, substitution, etc.

And it's also a hazzle to remember all the phrases and manual cryptographic ciphers you apply on them. Caz we are humans & we forget stuff, which is way more unsecure if a service has no recovery methods. You'll end up deadlocking yourself. You also can't store recovery codes & TOTPs, so there's no escape for a pass manager, if you wanna be secure. The best way is to maintain a password database, & remember only one master phrase where you can note it down physically somewhere or remember it permanently.

This'll be further complicated in the future with quantum computing access & we're gonna use quantum safe pass managers by then.

Actions #13

Updated by Soren Stoutner 8 months ago

  • Tracker changed from Feature to Bug
  • Subject changed from AutoFill issues when using a password manager to AutoFill not working when targeting recent versions of Android
  • Status changed from Closed to New
  • Priority changed from 3.x to Next Release

Yes, this looks like it aligns with when Android broke autofill on WebView by default. I will close Bug #1094: Autofill not working and look at the issue here.

Actions #14

Updated by Soren Stoutner 8 months ago

After thinking deeply about this for several days, I have decided that it is a really good thing that autofill no longer works with Privacy Browser's WebViews. See Bug #723: Connects to content-autofill.googleapis.com when tapping on an input field for a discussion about how a malicious or malfunctioning autofill provider can use the integration to exfiltrate a user's browsing history.

I wrote a lengthy blog post on the subject at:

https://www.stoutner.com/privacy-browser-and-password-managers/

Actions #15

Updated by Soren Stoutner 8 months ago

  • Status changed from New to Closed
Actions #16

Updated by ask low 8 months ago

For me, Bitwarden works fine. It uses overlay method instead of autofilling. Welp, if autofill not working makes it more secure, I'm all for it. Don't fix it.

Actions #17

Updated by Soren Stoutner 8 months ago

I would consider any method of overly to be far too compromised from a security or privacy perspective to every be an acceptable integration with Privacy Browser.

Actions

Also available in: Atom PDF