SamuraiSafe resisted adopting password autofill of web pages within the web browser, as the implementations were often vulnerable to compromise. SamuraiSafe now adopts Apple’s AutoFill Credential Provider Extension interface which is built into iOS/iPadOS. It aims to avoid such vulnerabilities.
Importantly there is no auto in Autofill. User authentication and confirmation is always required. In addition, Apple goes to some lengths to ensure the websites or domain associated with an application are legitimate, although one can’t discount the possibility that these mechanisms may be circumvented in certain situations.
Some articles about things going wrong:
- Web trackers exploit browser login managers – Princeton Centre for IT Policy – Dec 2017
- Potent exploit underscores the dark side of password managers – Ars Technica – Mar 2017
Security and Privacy often incur a tradeoff with convenience. Solutions are often complex and may not be correct or complete. By keeping things simple the risks of vulnerabilites is reduced.