Autofill options for Oreo and newer Android versions

edited August 2018 in Android

As I understand,

1) setting an app as an accessibility option was the "old way" for a password manager to observe the foreground app to recognize login prompts but it came with a few downsides, one of which being that the password manager would constantly poll for login prompts, it affects lockscreen security or something, and it is a general security risk as an app can observe other apps.

2) The new Autofill service feature offered in Oreo to address the performance issues of accesibility access.

Other random things 1Password doesn't use but I've seen in other pw managers:
3) Display over other apps allows the app to overlay other apps (messengers use this for chathead features. Lastpass uses this pre-Oreo to pop up credentials to copy/paste into logins and also a password bubble thingy.)

4) Apps with Usage access. Well, I don't know why Lastpass has this unless it's one of their analytic libraries they include or if it does indeed help with observing the active application.

5) Modify System Settings. This is a goofy one. I think it's so an app can toggle wifi and bluetooth amonst other things. Google really doesn't clarify why many apps declare this and a lot of obscure apps try to.

I guess my question is, with Oreo, can I simply register 1Password as an autofill service so it doesn't affect performance? As I understand, setting it as an accessibility service just allows 1Password to detect webpage logins if you use Chrome-based browsers. If I use Firefox for Android I wouldn't think it applies, right?

Comments

  • HenryHenry

    Team Member

    Hi @jwms! You're quite right here, both on what we do and what we don't. :)

    A couple things I'll point out:

    Setting an app as an accessibility option was the "old way" for a password manager to observe the foreground app to recognize login prompts but it came with a few downsides, one of which being that the password manager would constantly poll for login prompts, it affects lockscreen security or something, and it is a general security risk as an app can observe other apps.

    It is definitely the "old way", though it's not too great a security risk when used by an app you trust (like us!). In our case, the main concerns with Accessibility services, and why we'll be pushing users toward Autofill once their devices get Oreo, is their CPU and memory usage, and Android's propensity to turn off device encryption on some devices when you enable one!

    Display over other apps allows the app to overlay other apps (messengers use this for chathead features. Lastpass uses this pre-Oreo to pop up credentials to copy/paste into logins and also a password bubble thingy.)

    This is definitely cool, even if in our case the Accessibility filling service does much the same. Adding more flexibility to filling is always on our radar, so thanks for the feedback in this bit!

    And I like your question! Indeed, using 1Password as your Autofill app is necessarily a bit nicer to your CPU/memory than using our Accessibility service. In our upcoming 1Password 7 update, we're adding support for filling in Firefox Focus and DuckDuckGo with Autofill (the first two browsers it'll ever support!) so if you use one of those you can turn off Accessibility entirely and most likely not notice a difference.

    Let me know if I can help you more or add to any of this!

  • Thanks. There's not many places to ask those questions about those particular app capabilities but they've always been of interest when they are discussed.
    Oh, and the chathead type thing - I find those sorts of draw-over things annoying so don't take that as a suggestion :) lol. A password manager is hopefully something that gets in and out of the way which is why I like your design choices.

  • brentybrenty

    Team Member

    We're on the same page there. :) We've shied away from a number of different filling mechanisms over the years due to security risks of other apps being able to monitor the screen and clipboard, so I'm glad that Google has given us some great tools to work with that give us a great deal more convenience without sacrificing security. Cheers! :chuffed:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file