Vincent Breitmoser
Dec 21, 2023

AutoSpill vulnerability in Android: heylogin is not affected

The so-called "AutoSpill" security vulnerability was presented at this year's BlackHat Europe hacker conference. This affects users of Android devices, as reported on BleepingComputer, among others. The vulnerability exploits the Autofill function and has the potential to jeopardize the security and privacy of millions of people.

What is Autospill?

The vulnerability affects Android's Autofill feature, which allows users to automatically enter their login information in login forms, speeding up and simplifying the login process.

The vulnerability can be exploited by a malicious app to intercept login information under certain circumstances. This happens for logins that are performed in an app for an external service, such as PayPal or Microsoft. This type of login should only allow the app to use the functionality of the service, but not expose the entered login data.

A possible scenario is a delivery service app, which uses PayPal for payment processing. If a user tries to log into their PayPal account using Autofill in a malicious app, this app could intercept the login data and send it to a remote server.

heylogin is not affected

heylogin also supports the Autofill feature on Android, and was therefore potentially affected by the vulnerability.

However, we were able to verify: heylogin is not affected by the AutoSpill vulnerability.

The reason is the way heylogin handles login information during the Autofill process. We make sure that the data is only entered in the correct fields of the corresponding platform, additional forms of malicious apps are skipped. This effectively protects our users from the security vulnerability, as the login data cannot be intercepted.

To check this, we worked through the paper and compared the method with our Autofill implementation. Fortunately, we found that our code already takes the scenario into account and only enters the login data in the correct fields. To verify this result, our developers also built a simple test app to test the vulnerability "live". This test confirmed that heylogin only enters all data in the correct fields. Our users are therefore still optimally protected.

Switch to the secure alternative now