Protection against clipboard monitor malware

[Eddy]

Currently, the only way to enter passwords into apps is to copy them
into the clipboard and pasting them into the entry field of the
desired app.

But I've seen apps like ClipNote that can monitor the system clipboard
and collect all clipboard entries. That ClipNote app does not require
any special permissions to run. That means any malware can steal
passwords by just monitoring the system clipboard in the background.

Is there any way to defeat this?

[dbareis [Windows Installer MVP]]

On Aug 24, 1:12 am, JNavas <john.na...@gmail.com> wrote:
> If a system is infected with malware, the system clipboard is just one of *
> many* threat vectors.
> Locking the front door won't do much good if other doors and windows are
> left unlocked,
> and may even make matters worse by giving a *false sense of security*.
> The only real way to "defeat" such threats is to keep the system *free from
> malware*.

I don't put valuables in plain site in my home even when all doors and
windows are locked, security should be layered, if you get past one
level you need to navigate a second, third etc... I'd put really
valuable stuff in a safe and my money would be somewhere out of sight.

I have Lookout (anti-virus) on a phone and am fairly careful but at
the end of the day you can only hope for the best, the only way to be
nearly 100% sure no malware on your phone is to not install any
software.

I too would like an alternative mechanism but can't see how it would
be done, ideally it would be an autotype, but android as far as I know
won't let you do that without the user manually changing to (and from)
an alternative "keyboard", that is too hard for average user.

Monitoring the clipboard would require (I assume) specific permission
which you could lookout for when installing. LookOut premium has a
privacy feature which should identify all such apps after the
install. I didn't think it was implemented very well but may now look
for a free tool that might do this. It would be nice if the market
should you apps by permissions.

Bye
Dennis

[Brian Pellin]

Unfortunately there is no security needed for reading the clipboard on
Android, so it is possible for any app to monitor the keyboard. The
best you could do is look at apps that have permissions that allow
them to phone home.

The only real workarounds I see are implementing a keyboard or a
browser. Both approaches seem to have big drawbacks to me.

-Brian

On Tue, Aug 23, 2011 at 3:43 PM, dbareis [Windows Installer MVP]
<dba...@gmail.com> wrote:
> Hi,

>
> On Aug 24, 1:12 am, JNavas <john.na...@gmail.com> wrote:
>> If a system is infected with malware, the system clipboard is just one of *
>> many* threat vectors.
>> Locking the front door won't do much good if other doors and windows are
>> left unlocked,
>> and may even make matters worse by giving a *false sense of security*.
>> The only real way to "defeat" such threats is to keep the system *free from
>> malware*.
>
> I don't put valuables in plain site in my home even when all doors and

> windows are closed, security should be layered, if you get past one

[Eddy]

For implementing a keyboard, what will be the issue be?

If user-friendliness is an issue, I suggest taking a look at Google's
keyboard IME (https://market.android.com/details?
id=com.google.android.inputmethod.korean&feature=related_apps). When
you install the IME as an app, there will be a special keyboard button
to the left of the spacebar. Tapping on that keyboard button will show
a list where can select the IME keyboard. Vice versa, you can switch
back to the standard keyboard.

IMO, the two weakest security in KeePassDroid is the app-specific
storage (for storing key files) and clipboard entry of passwords. Apps
do not need any special permissions to monitor clipboard and *read* SD
card contents (where keyfiles are stored). Malware only need full
Internet access to launch these two attack vectors. As most app
require full Internet access, malware wouldn't arouse any suspicion
just by requiring full Internet access permission.

[minherz]

Hello Eddy. Can you explain what is difference between situation in
Android and Windows desktop? In desktop if there is malware app which
monitors clipboard
it also can intercept copied items regardless it is cleaned after
timeout. Correct me if I am wrong.

[Eddy]

In the version 1.x of KeePass on the desktop PC, there is a special
feature that once you paste the password, the content of the clipboard
is automatically destroyed. I guess if a malware sniff the clipboard,
the content of the clipboard will also be destroyed. Not sure why the
feature is not available on 2.x.

But I think a clipboard monitor malware in the desktop PC can also
sniff the password. That's why it is safer to use drag-n-drop for the
desktop.

[minherz]

It is a strange assumption. A content of the clipboard can be
destroyed indeed but why it should destroy the copied content? A
malware copies content of the clipboard into file or own memory where
it cannot be destroyed. Since there is a time period when an
unencrypted password is stored in clipboard it can be stolen.
I don't see a good UI allowing in Android to copy/paste info into some
edit field without using clipboard. Drag & Drop is a complex issue due
to a size of the screen. In tablet it can be possible but not in
phone.

[peterl...@gmail.com]

Yes- use Keepass2Android -- avoids this issue by using virtual KB.
https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en 

[Dude Dude]

Not sure how legit my concern is but it caused me to uninstall KeePass2Android, I don't trust plug-ins when it comes to the data stored in KeePass.

[Dude Dude]

Update! KeePass2Android Rocks!