Product Security 
The modern threat landscape is constantly changing and the software supply chain has become a common target for cybercriminals. Cyber threats have become a headache for
Keeper Security’s dedication to protecting user data permeates everything we do. Keeper® holds the longest standing SOC 2 and ISO 27001 certifications in the industry. Keeper is GDPR compliant, CCPA compliant, as well as FedRAMP and StateRAMP Authorized. Our commitment to securing our customers’ data is why Keeper has proactive safeguards in place to protect our customers against automatically filling credentials into untrusted applications or websites.
A recent report from a security researcher raised concerns about an Android vulnerability called AutoSpill that could potentially allow a password manager to fill credentials into an untrusted application. Keeper works in close collaboration with the security research community via our bug bounty and Vulnerability Disclosure Program (VDP) managed by Bugcrowd. Through this program, Keeper works with good-faith hackers to identify and resolve any issues within our cybersecurity solutions and help improve the collective cybersecurity of the industry as a whole.
Keeper initially received a report from the researcher on May 31, 2022 and requested a video to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application, and subsequently, accepted the prompted warning by Keeper to force the association of the malicious application to a password record. Keeper’s built-in safeguards protect against this type of scenario. On the Android platform, Keeper prompts the user when attempting to autofill credentials into an application or website. The user is asked to confirm the association of the application to the Keeper password record prior to filling any information.
A screenshot demonstrating Keeper’s protection against the scenario, as outlined above, can be seen below:
The association of a Keeper record to a malicious application could only happen if the user overrode important security settings on their device to sideload a malicious application or downloaded a dangerous app outside of the official App Store. Subsequently, the user would need to explicitly authorize the association of the Keeper record with the malicious application to autofill the approved credentials. On June 29, 2022, we informed the researcher of Keeper’s software security protections, and additionally, recommended he submit his report to Google since his concerns specifically related to Android’s WebView component.
There are simple best practices that users of any password manager, including Keeper, should always follow to protect themselves:
- Only download apps via trusted sites like the Google Play Store. These apps go through a submission and approval process, which protects users against unintentionally installing a malicious software application.
- Only associate records in your password vault with trusted apps. Do not authorize the association or autofill of your credentials with untrusted applications or sites.
Keeper provides a plethora of educational resources to help everyone improve their cybersecurity protection and follow best practices. We always recommend being both cautious and vigilant about the applications you install.
Learn more about how to keep your smartphone safe.
