Android's 'Restore Credentials' Feature Will Automatically Log You In To Your Apps On a New Phone

Google is introducing "Restore Credentials," a feature that simplifies transferring app credentials when switching Android devices to keep you logged into your apps. The Verge reports: While some apps already did this, Google is making it easier for developers to include this experience by implementing a "restore key" that automatically transfers to the new phone and logs you back into the app. [...] Restore Credentials requires less work than the previous approach on Android, and can automatically check if a restore key is available and log you back in at the first app launch. A restore key is a public key that uses existing passkey infrastructure to move about your credentials.

Restore keys can also be backed up to the cloud, although developers can opt out. For that reason, transferring directly from device to device will still likely be more thorough than restoring from the cloud, as is the case with Apple devices today. Notably, Google says restore keys do not transfer if you delete an app and reinstall it.

Is just me who thinks this is a really bad idea?

[TheDarkMaster]

Am I the only one who thinks it's a really, really bad idea to allow a new cell phone installation to automatically log in to all your applications? When you don't really have a way of being sure that the phone is in the hands of the genuine user of these accounts?

Re:

[Entrope]

Am I the only one who thinks it's a really, really bad idea to allow a new cell phone installation to automatically log in to all your applications?

Assuming it's controllable from the source side, you might be. Suppose that this transfer requires proximity of the two devices and only works with the same Google account on both devices. What's the threat vector that you are concerned with, and how is it enabled by this feature?

Re:

[TheDarkMaster]

The scenario I'm thinking of is as follows. Imagine that you have a banking application on your cell phone, which normally has a completely separate login and password from your cell phone. If a criminal could then access your cell phone account, they wouldn't be able to access also your bank account. But with this Google scheme, if the criminal gained access to your cell phone account, then he would also be able to gain access to the bank account.

Re:

[viperidaenz]

... if the banking app supports this optional feature.

Re:

[usedtobestine]

... if the banking app supports this optional feature.

When. When the banking apps support it. Remember, this pushes more of the responsibility onto the customer.

Re:

[viperidaenz]

If the bank wants to accept the liability that comes with this feature and spend developer time and money by adding this functionality to their app, that's their problem, providing you live in a country with sane banking regulations.

Re:

[Uldis Segliņš]

Convenience always wins over security. You just poke here and computaz do beep boop beep, magic happen, wow I like it! Plenty of places this can go wrong. And it will, just you wait. I would bet on eating my hat if I had one.

Re:Is just me who thinks this is a really bad idea

[ctilsie242]

Even if both devices are "secure" and have the same user on them, there needs to be some form of solid authentication to show the user actually wants to transfer all this info from one device to another, just in case the other device happens to be something other than it purports to be and has some way of logging ephemeral from memory for decrypting the credential storage. This could be a PIN or other authentication used, but that isn't really something that can stand up to brute force, so maybe something like the Google account password.

Older Android devices that used dm-crypt instead of fscrypt allowed one to have an encryption key that could be long, and was typed in at boot time, then stored in RAM. Maybe a long base decryption key like that can be used, similar to how a DSRM password is used to protect the contents of AD local storage.

My question is how the credential transfer will take place. Hopefully the credentials are encrypted with a low level device key, then transmitted using some security protocol, so once on the new device, they are received encrypted, and only decrypted by a Secure Enclave.

Overall, the big issue is making sure the user who owns the credentials authorizes the transfer to a new phone, and some thought should be put into it, for example if the user is being coerced into transferring their stuff from an old device to a new device which belongs to a criminal, or criminals cloning the credentials from a device before it is remotely killed.

Ripe for abuse...

[zurkeyon]

This thing better have the greatest security known to nerds, or its gonna have issues ;-)

implement actual backups and phone data transfer

[Espectr0]

android doesn't support transferring application _data_ when doing a phone to phone transfer. that means that if i transfer an app via cable, not only will i have to login, but the app will open with no saved data at all.

  the only purpose of the file transfer seems to be to transfer your camera roll and some general settings

i wish google fixes this without requiring root and a third party app

Re:

[itsme1234]

android doesn't support transferring application _data_ when doing a phone to phone transfer. that means that if i transfer an app via cable, not only will i have to login, but the app will open with no saved data at all.

THIS. That means no comprehensive transfers (including the credentials) and no app data transfer (note: that can be much more than some simple pictures or documents saved directly in the shared visible sdcard or whatever directory) AND NO BACKUPS.

They had some way of backing up some data bu