Add Autofill Framework support for Android 8.0 Oreo (enhancement)

[rocketwidget]

It would be great if devices on Oreo could add this feature designed for password managers: Thanks!

https://developer.android.com/guide/topics/text/autofill.html

[christianfl]

You don't need to write a "+1" comment, just give the creator of the issue a thumb up. It's not only unnecessary but also very annoying because every subscriber gets an e-mail for new comments.

[packy]

Just a note: you need to be viewing the desktop version of the page to be able to give the first comment on the issue a thumbs up (or any reaction, for that matter). That feature doesn't appear in the mobile version, which might be why people are commenting "+1": they didn't see a way to do what was requested.

At the bottom of the page, there's a link to view the desktop version. Once viewing that, look for the +SmileyFace icon in the upper right corner of the first comment on the post.

[SohnyBohny]

Any news on this topic?

[PhilippC]

working on it right now. Hope I can release a first version in beta channel during the next few weeks.

[PhilippC]

I am currently uploading version 1.04-pre1 to beta channel. If you haven't done so already, please switch to beta channel (https://play.google.com/apps/testing/keepass2android.keepass2android) and also join the G+ community for beta testers (https://plus.google.com/communities/107293657110547776032). You should get the 1.04-pre1 pretty soon then.

After upgrading, please enable the Kp2a Autofill service in Android's settings (On my Pixel phone: Settings -> System -> Language & Input -> Advanced -> Autofill service - or simply search for autofill in the settings).

You should then see a little popup when entering an autofill supported text field. If the target app does not use autofill hints, you might have to long-press and then select Autofill.

I have tested this with some apps, e.g. Instagram. It also works with Firefox Focus/Firefox Klar. It does not work with Google Chrome, at least not with the version 63.0.3239.111 which I have running here. This version does not yet support Android's Autofill API. Same for the regular Android Firefox browser.

If you experience any issues please let me know. If you feel KP2A should be able to autofill but doesn't, post here. Would be great if you could check if other autofill services (e.g. Lastpass) can autofill.

[SohnyBohny]

I love it :heart:

Thank you! - does work on OnePlus 3T

[SohnyBohny]

Would be cool if you implement saving data... :stuck_out_tongue_winking_eye:

[iamrogerr]

Autofill is working fine on Oreo, but KP2A never find automatically the app I'm trying to log in (I always need to use the search). Example: I try to use autofill on Twitter. KP2A doesn't find my Twitter entry (because it searches for "com.twitter.android", and my entry is saved with the URL "https://twitter.com"). Enpass and Bitwarden work fine.

It's not a big problem though 😜 Thank you!

[daguej]

This is very exciting!

Noticed an issue: in the Amex app, it fills the password in the username field.

[mcarver2000]

Certain apps that don't appear to support autofill causes my Pixel C (Android 8.1.0) to crash & auto reboot. Bank of America, Consumer Cellular, Progressive Insurance are prime suspects. If I see the autofill prompt in apps, things work fine.

Edited: Found the culprit - forcing portrait only apps into landscape (using Rotation Control Pro). This doesn't happen if using Google for autofill. With KP2A the autofill prompt does not show and tapping in input field crashes instead of activating keyboard.

In the Progressive app https://play.google.com/store/apps/details?id=com.phonevalley.progressive, the password is used for the username.

[kabili207]

It doesn't seem to work with the PayPal app (https://play.google.com/store/apps/details?id=com.paypal.android.p2pmobile). I get the autofill option, but the password field is left blank. I'm not sure if this is an issue with KP2A or with PayPal.

Edit: added link to app

[CatalinCaranfil]

On Pixel2XL 8.1 this version is no longer able to open databases which previously could be opened - a very long message pops (which can not be captured with a screenshot) but it basically says Permission Denial ... you need to "obtain access using ACTION_OPEN_DOCUMENT or related APIs".

On OP3T with 7.x the same (I assume) new beta version works as before.

[mik9]

After QuickUnlock it asks about saving password but it shouldn't.

[PhilippC]

@mcarver2000 can you please post links to play store. I didn't find any of these apps. I am also very surprised to hear anything causing a reboot - this sounds more like an OS or hardware problem. If you can collect a logcat, that might help as well.

[PhilippC]

@CatalinCaranfil this happens after app upgrades sometimes and can be resolved by choosing "Change database" -> "Open database" -> reselect the database file.

[PhilippC]

@daguej I have analyzed this. The Amex app incorrectly has the TYPE_TEXT_VARIATION_PASSWORD flag set on the username field. I have contacted their support to see if they can fix this.

[bungabunga]

@PhilippC could you also make Keepass2android Offline available as beta with autofill or would that mean too much additional work?

[jgillies]

@PhilippC this app is also putting the password in the username field: https://play.google.com/store/apps/details?id=org.nyulmc.clinical.mychart&hl=en. I'd be happy to reach out to them to ask for a fix, but I'm not sure how to verify that they're also using the TYPE_TEXT_VARIATION_PASSWORD flag incorrectly.

[nicholseric]

I use field references https://keepass.info/help/base/fieldrefs.html but autofill is not resolving them correctly. Here is a screenshot of that on my pixel xl 8.1.0 using pulse secure and KP2A 1.4

[mcarver2000]

Found the culprit - forcing portrait only apps into landscape (using Rotation Control Pro). This doesn't happen if using Google for autofill. With KP2A the autofill prompt does not show and tapping in input field crashes the tablet instead of activating keyboard. This is not a issue (forcing landscape) unless KP2A is set for autofill.

In the Progressive app https://play.google.com/store/apps/details?id=com.phonevalley.progressive, the password is used for the username.

[the-felipeal]

Hi @PhilippC,

Glad to hear you're working on it, let me know if you need help (I'm the lead engineer on the Android Autofill Framework project).

Here are a few replies for some of the comments above, in no particular order:

• @mcarver2000 "forcing portrait only apps into landscape (using Rotation Control Pro). This doesn't happen if using Google for autofil. With KP2A the autofill prompt does not show and tapping in input field crashes the tablet instead of activating keyboard.": regardless of the autofill service being used, it shouldn't crash the system - if it does, it's a bug in the framework :-(. Which version of Android you're using, 8.0, or 8.1? If it's still crashing on 8.1, could you please report a bug and link it here?

• @iamrogerr "I try to use autofill on Twitter. KP2A doesn't find my Twitter entry (because it searches for "com.twitter.android", and my entry is saved with the URL "https://twitter.com").". The solution for this problem is to use Digital Asset Links to map the URL to the app, or provide an UI (using dataset authentication) to let the user confirm the mapping (as documented here). You can see an example of using DAL for that purpose on our official sample.

• @kabili207 "It doesn't seem to work with the PayPal app" - this is probably a keepass2android issue, as I managed to get my forked version of the sample service to work with PayPal.

• @PhilippC "I'd be happy to reach out to them to ask for a fix" - if you reach out to a 3rd party developer to ask them to support autofill, could you please refer them to the official documentation, in particular the "Providing hints for autofill" and "Test your app with autofill" sections?

Finally, we recently added a "Building autofill services" guide - it's not complete yet, so any feedback is welcome.

Best Regards,

-- Felipe

[PhilippC]

Thanks for all the feedback during the last days! I have improved the implementation, next update will be available in the beta channel shortly!

Here's what I did:

• The last opened entry is remembered and displayed as an additional list option alongside the "Fill with Keepass2Android" option. This simplifies entering partitioned data, it also provides a way to input data to the PayPal app (see comment by @kabili207).
• If no data is available for autofill but is manually entered, KP2A can now save the data (as mentioned by @SohnyBohny )
• Changed heuristics which fields are username fields. While I believe that the previous heuristics were "more correct", it seems like the new heuristics are working better, e.g. with the Amex app as reported by @daguej. @mcarver2000 can you please check with the Progressive Insurance app, it's not available in Germany. @jgillies can you please check if it helps with the app you mentioned? That's also not available here (and thus I can't take a closer look).
• field references are resolved (pointed out by @havealoha)
• Autofill can be enabled through KP2A's preferences. If it is not enabled, a message is displayed in the group view to do so.

@iamrogerr: The way to resolve this at the moment is simply to select the dataset once "manually" (from the screen which says that no results were found). You should then see a question if KP2A should remember this entry for this query. If you agree, it will work next time.

[PhilippC]

Hi @the-felipeal, it's great to see you're watching this issue and contribute to it! Here are a few comments to the points you mentioned:

• DAL will not be implemented in KP2A for the first release of Autofill, but KP2A has had support for storing domains and package names in one entry for a long time, so I think this won't be required at the moment (BTW the twitter app does not provide a WebDomain, so I don't think DAL would work here, right?)
• I tried the PayPal app with your forked service and it is the same as I have described on this stackoverflow question: As soon as I enable dataset authentication, your service fails as well! Maybe we can continue the discussion on stackoverflow?

[the-felipeal]

Hi Philipp,

Ideally, you should use DAL to avoid phishing, as storing just the domain and package doesn't guarantee the app installed in the device is legitimate. Similarly, when you save credentials associated with a package, you should save its certificate hash as well, so you can verify it when autofilling (as described in the "Package Verification" section).

If you're not using DAL to check the certificates, then I'd suggest using dataset authentication to show a dialog warning the user; something like "Do you want to fill app Example App with your credentials from https://example.com?". Then if the user agrees, you could store the certificate hash on KP2A to avoid asking again in the future. You could also take this approach if (or when :-) you implement package verification, so you can "fix" the existing K2PA database with certificate hash of the app the user is trusting to autofill.

Twitter, in particular, uses DAL - you can check its JSON file directly, or use Google's DAL API (example). It does not set a WebDomain property in the ViewNode because it does not use WebView. So, if the user is only using K2PA on Android, then you wouldn't need to worry about DAL (for Twitter), as you should be saving / restoring the credentials associated with the app (identified by package + certificate hash); DAL would only be useful in this case if the user is using K2PA on desktop or other places where the credentials are associated with Twitter's website.

Regarding the PayPal issue with dataset authentication, it's a known WebView issue that has been fixed on Chrome M64. You can verify it's fixed by installing a newer Chrome and changing the default WebView implementation through Settings -> Developer Options.

-- Felipe

[mcarver2000]

The heuristics change fixed the issue with the Progressive app. This app appears to treat the username field as a password in that keyboards do not show/predict what is being input.

[mcarver2000]

@the-felipeal Android version 8.1.0 - I was incorrect however about the device crash/reboot only happening with KP2A. If Google is set for autofill, portrait-only apps forced to landscape will crash/reboot the device.

I don't have permission to create a bug at Issue Tracker. Here are the details:

Autofill causes a system crash/reboot if the app is a portrait-only app forced into landscape. Using an app (I am using Rotation Control Pro) to rotate apps to match the device's orientation (landscape) and opening portrait-only app https://play.google.com/store/apps/details?id=com.phonevalley.progressive Autofill crashes the system forcing a reboot. Other portrait-only apps replicate this (PayPal, Bank of America, Consumer Cellular, etc.). If the app supports landscape mode, Autofill works with no issues.

Device: Pixel C Android version 8.1.0 (stock)

[jgillies]

@PhilippC your changes fixed the issue with the app I was referencing. Thanks!

[the-felipeal]

@mcarver2000 could you please file a bug with the reproducible steps and link it here?

[mcarver2000]

@the-felipeal Bug report submitted https://issuetracker.google.com/issues/71637394.

Note: I tried earlier today, but could not create the report. Just didn't click the correct link or wrong browser (I guess).

[jakejoh]

A couple of websites in Firefox Focus do not work (just get something similar to "cannot fill" (in German). Examples are GitHub and Twitter. Facebook e.g. is working like a charm. Also, autofill isn't working in Microsoft office apps at all, but I guess that's their fault (using the browser to login).

Edit: I manually updated to WebView 63 and it seems to work now, at least for Firefox Focus.

[nicholseric]

I can confirm that the field references are now resolving but for Pulse Secure 6.6.0, the autofill service is putting the user name into both the user name field and the password field.

[PhilippC]

while there are definitely possibilities to improve, I am closing this as the current implementation is ready for release. If you have further requests on the topic, please open new issues.