Autofill Services and Security

If you are developing an autofill service for Android 8.0 — and, in particular, if Google is not working with you on that service — I strongly encourage you to read this white paper that I just published.

In a nutshell, with Android 8.0 autofill, malicious activities can request autofill data via invisible widgets, or via widgets that cannot be seen for other reasons. Google feels that it is the responsibility of autofill service developers to deal with this case. So, if you are developing an autofill service, you need to solve this problem… despite little current documentation on how to solve this problem.

In the paper, I describe the issue in greater detail and provide Google’s recommendations on what to do. Eventually, those recommendations will (hopefully) roll into official documentation and sample apps from Google. However, with the O Developer Preview series completed and the official release of Android 8.0 coming up soon, autofill service developers do not have time to waste waiting for Google to explain what is required to try to mitigate this security problem. That’s why I published the aforementioned white paper, so that developers racing to implement autofill services have a chance of handling this case.

Personally, I will be turning off autofill on my “daily driver” Android devices, once they get the update to Android 8.0. I am not a security researcher nor a malware author. So, if a schmuck like me can find problems like this, I worry that there are many more problems of which I am unaware. Since I rarely find myself typing in autofill-style information into my devices, I would rather avoid any attendant risks with autofill.