Android O: Autofill API

[0BF3M9ZbXZmcNllarEZFq2N9f0klOHaHsx9Mepq]

Hooray, Android is getting proper support for password management apps!

https://developer.android.com/preview/features/autofill.html

Currently only available in beta builds of Android O, for very specific Google devices. It'll be quite a while before we see phones actually running whatever the next dessert will be called, so the accessibility service will stick around.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Yes, we plan to add support for this as soon as the API is available in Xamarin.Android.

[E0gks1tynJmjfzUZBlMLjtfyDMMztQOeEk9brKR]

Android O is likely to drop within a week or two. Any updated plans on this?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Looks like there is some support being added to Xamarin.Android recently. I'll start looking into it more now but don't expect something to be available as soon as O lands.

[1e7vxYGUo7MaPmUSkwKunusZD0z4RHJPZgfHDSk]

Looking forward to this!

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Xamarin will have official Android 8.0 support in v15.4, so we're waiting on that before we start working on this.

[StCPb41RfykO67GFWHmLBfDeA8MZFaD6B3kkypL]

@kspearrin This article was recently posted on developer.xamarin.com. Can't wait for this to happen!

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@nicosemp Yep, I've been trying to get 15.4 preview 2 working but am having a hard time with it...

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Blocked by this issue: https://bugzilla.xamarin.com/show_bug.cgi?id=56740

Looks like I'll have to wait for preview 3

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Got around the blocker and started working on this in the autofill branch. https://github.com/bitwarden/mobile/tree/autofill

Check out this quick demo :)

[NoWuCOULKpJKpQISz00ubkARdmj0Z4m7qxfAhb1]

@kspearein I'd love to help test on Android. You should setup a beta channel if you haven't already.

[ADCHqprxTRZho6KGVaUUWjVX6RN3hHAAu4tGPfC]

I'm running O on my Nexus 6P, as well. Would be happy to test this if/when it ends up in a beta branch I can install without having to compile myself.

[w1xaWnSfNYlxSxCwKLyyIppBakMgkuLTtuWdaEH]

Running Android O on OnePlus 3 OxygenOS, more than willing to test!

[Id9MTXGoYKRl0xqooWtePy7Uue3ZTENbFyQ7ore]

Password Managers using Android Oreo’s Autofill API are Potentially Vulnerable to Data Leakage https://www.xda-developers.com/password-manager-autofill-api-data-leak/ https://github.com/commonsguy/AutofillFollies/blob/master/WHITE_PAPER.md Just sharing the links.

[NoWuCOULKpJKpQISz00ubkARdmj0Z4m7qxfAhb1]

@Moxville I feel like that is a moot point. It assumes a malicious app on the phone. If you have a malicious app, you can pretty easily get someone to put info in there.

[StCPb41RfykO67GFWHmLBfDeA8MZFaD6B3kkypL]

@tehspaceg That's true, but it's still good to take some precautions where possible. Like partitioning data, and checking that the app that's being filled is actually the one associated with the entry, as the article suggests.

EDIT: Also it might be wise to wait for "best practices" from Google.

[Fo4J42mly2EOyc15sSDmKvEkl4daZaPMjhfgWDD]

Wouldn't best practices be to use the APIs provided by Google?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@JaceHensley We do use the APIs provided by Google. Just the C# version of them.

15.4 is now available for Xamarin, so we'll start looking at this again hopefully sometime soon.

[AO1eCMNM0cCYHXbdGfBWUagNEXGFsa5lm6UFYIM]

Any updates on this? It seems Xamarin has released sample code how to handle this: https://developer.xamarin.com/samples/monodroid/android-o/AutofillFramework/

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Yes, we are beginning to work on this again now.

[ihyryhYMNDimwzvHM0oMTzsXcIeOrSANk2fl3OX]

can I help with this? is there a specific branch where things are being done? I saw a branch but it got the last commit 2 months ago so i'm not sure

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I merged that branch into master and starting working on it more.

See https://github.com/bitwarden/mobile/tree/master/src/Android/Autofill

Feel free to stop by our Gitter channel if you want to discuss specifics of how you can contribute to this feature.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I've made significant progress on this task over the past 2 days. Most of the work is now done. Expect a beta test next week.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

This is now live through our beta channel on the play store. Please post any feedback or problems in this issue. Blog post: https://blog.bitwarden.com/bitwarden-the-oreo-autofill-framework-2a8b2e04f29e

[1e7vxYGUo7MaPmUSkwKunusZD0z4RHJPZgfHDSk]

With the latest update, When BitWarden is trying to fill a form, my default notification sound is firing constantly.

I can reproduce it every single time. Regardless of whether BitWarden is my autofill or not.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@wjbeckett Are you also using the autofill accessibility service? Sounds odd since our autofill framework implementation does nothing with notifications.

[1e7vxYGUo7MaPmUSkwKunusZD0z4RHJPZgfHDSk]

@kspearrin ah. yes that's what is doing it. Disable the accessibility service, and it stops.

I suppose I should log a bug for this then? Happening in all apps and Chrome.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@wjbeckett I just reproduced it on my end here as well. I'll look into a fix. No need for a new issue.

[1e7vxYGUo7MaPmUSkwKunusZD0z4RHJPZgfHDSk]

@kspearrin Perfect! Thanks mate.

[1e7vxYGUo7MaPmUSkwKunusZD0z4RHJPZgfHDSk]

@kspearrin Also seeing that when trying to Autofill in the PayPal app, the BitWarden autofill form appears, I tap it, unlock my vault, select the entry I want to autofill with, and then nothing happens. It doesn't fill in the username/password fields.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@wjbeckett I see. Not sure why this is only happening with PayPal app. Will have to investigate more. Unlocked vault can still fill it correctly.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@wjbeckett I just tested it and it looks like everything is being done correctly to perform the autofill, but it just doesn't work with that app. Additionally, I even tried 1Password and LastPass apps and they do not autofill with PayPal correctly either. 🤷‍♂️

[t74olZ9a7nqf0ti6rdNtCSEANN0eJ3TjXRrQu5I]

Do you guys know how 1Password is doing auto-fill within Chrome?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I’m using 1password on my Nexus 5X with android 8.0 and the autofill service doesn’t work in chrome at all...??

[t74olZ9a7nqf0ti6rdNtCSEANN0eJ3TjXRrQu5I]

I'm on Pixel 2 XL with 8.0 with Chrome 62.0.3202.84 and 1Password 6.7.BETA-3.

Only noticed it appearing around a week ago.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@ragingsheep

I am running the exact same versions and do not see it working on a few websites that I have tried. Can you give me an example website that it works on?

[t74olZ9a7nqf0ti6rdNtCSEANN0eJ3TjXRrQu5I]

Actually, I think they might be "faking it", do you have Accessibility turned on for 1Password? It doesn't "autofill" in Chrome if I turn that off but it still autofills in apps.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@ragingsheep Yes, that is their accessibility service doing it in Chrome. Their UX is just the same on both methods.

[cPh0hczWadegtbBLoQOcmTHQchhlO9R69o5U60B]

Great work! Is there any possibility to save the matching mobile app to the entry? Not to search correct entry everytime. LastPass was doing something like this... :-)

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@hrach Not sure what you mean. When you save a new login it should use the mobile app's package name.

[NoWuCOULKpJKpQISz00ubkARdmj0Z4m7qxfAhb1]

I think he means if you saved a site in the web browser, it uses url. The search appears to do pattern matching. Maybe when an item in the mobile app is identified for autofill, add a field automatically (or prompt to do so) that contains the package name.

On Wed, Nov 22, 2017, 8:14 AM Kyle Spearrin notifications@github.com wrote:

@hrach https://github.com/hrach Not sure what you mean. When you save a new site it should use the mobile app's package name.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bitwarden/mobile/issues/57#issuecomment-346346622, or mute the thread https://github.com/notifications/unsubscribe-auth/AHqNg8qGsKDEKM4lmX8tYJyLsO5omeNNks5s5B4wgaJpZM4M6u-a .

--

-Geran

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I see, yes, there is room for improvement there which has been the case for autofilling on android for some time now.

[dZNkGe0pew8fw8eZKlpIkQLepFQEl3AQoEosItf]

Implementation works well in most cases a few issues I've found not sure if these are specific to Bitwarden or not:

Google Find Devices (Device manager) doesn't prompt autofill Amazon Shopping app log in doesn't prompt auto fill

Twitter and some other apps working fine so great job getting this out. Way better than lastpass buggy separate app version i tested a while back.

Samsung Galaxy S8 Oreo beta 3

[NoWuCOULKpJKpQISz00ubkARdmj0Z4m7qxfAhb1]

I suspect the main limitation is in those apps. I'm fairly certain bitwarden is just calling the API, if the target app doesn't work with the API, it won't work.

On Fri, Nov 24, 2017, 10:19 AM BigNickBurgess notifications@github.com wrote:

Implementation works well in most cases a few issues I've found not sure if these are specific to Bitwarden or not:

Google Find Devices (Device manager) doesn't prompt autofill Amazon Shopping app log in doesn't prompt auto fill

Twitter and some other apps working fine so great job getting this out. Way better than lastpass buggy separate app version i tested a while back.

Samsung Galaxy S8 Oreo beta 3

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bitwarden/mobile/issues/57#issuecomment-346850505, or mute the thread https://github.com/notifications/unsubscribe-auth/AHqNgzuMWVVDE9mgoq5QV-ZEQPm_O5ssks5s5t5cgaJpZM4M6u-a .

--

-Geran

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Some apps use web views for their login forms. I don't think these work with the Autofill Framework yet. I know Amazon is one I tested.

[cPh0hczWadegtbBLoQOcmTHQchhlO9R69o5U60B]

@kspearrin I mean a situation when the app package name doesn't match the domain, or there is some SSO which I'd like to attach to the app.

Also, I've encountered a bug, when I click an input, it prints the vault is locked. When unlocked, I've returned to the app, but the input shows still the same message that vault is locked.

Third, It also suggest something in my (Nova) launcher search field - is there any way how not to show it here?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@hrach

1. You can correct those with https://blog.bitwarden.com/new-feature-equivalent-domains-dd29aa462bb7
2. Can you please let me know what app this is happening in? We saw the same thing in the PayPal app and there wasn't anything we could do there.
3. I can add that app to the exclusion list.

[cPh0hczWadegtbBLoQOcmTHQchhlO9R69o5U60B]

1. Thanks :) Didn't know.
2. Sygic Travel, but I think know the pattern, after unlocking and pressing the back take me back to the app and then it show it's still locked.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@hrach If you are unlocking you must select the item to fill from the app UI. If you just press back you will end up with nothing if the app immediately locks back again. That is expected.

[cPh0hczWadegtbBLoQOcmTHQchhlO9R69o5U60B]

If I open the Bitwarden app (after pressing back, leaving my app and launching Bitwarden), it isn't locked. That's the reason why I was confused.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Ok, what is your lock option set at?