Android Oreo’s Autofill: What Is It and How Does It Work?
Filling in forms on the web is a pain, and doubly so on mobile. A new feature in Android Oreo aims to make it a breeze.
On desktop computers, password managers are absolute lifesavers. With a simple browser extension, you can use a unique and secure password for every service you use. Even more conveniently, most password managers allow you to save common addresses, phone numbers, credit card info, and more. All those things you hate typing into web forms when you try to buy tickets online, effortlessly and automatically filled in. Wouldn’t it be great if you could get the same experience on your phone?
With Android Oreo, the dream of using password managers to automatically log into apps and fill in common web form data is about to be a reality. New to Android with the August 21 update is an Autofill API that allows developers of these apps to properly detect and input form data within apps and on the web, all while keeping your info secure.
How it works
Currently, password managers on Android are rather limited. Sure, you can open them up to look up a password or copy it to the clipboard, but there’s no mechanism to allow the login screen of an app to simply request the password from whatever service you use.
MORE: 15 Android Security Tips to Protect Your Phone and Your Privacy
Some apps, like LastPass or Dashlane, try to circumvent this by using an Accessibility service (which you have to enable by hand in Settings) to monitor the screen and guess when there are fields to fill in, then prompt you with a popup window. Sometimes it works, and sometimes it doesn’t; the accessibility service wasn’t really made for this.
Android Oreo introduces a new dedicated Autofill function. It is currently disabled by default, though this may change in the final release due out next week. As of this writing, you go to Settings > System > Languages & input > Advanced > Input assistance > Autofill service and choose the app you want to use to fill in forms and login fields.
Do that, and every time an app shows a login field, the Android system will automatically request it from your password app. Just authenticate with your fingerprint or PIN and you’re good to go. The same goes for web forms. Any app that uses a “standard view” on Android (the vast majority of apps) should work automatically. Apps that use custom views (like an OpenGL rendered game interface) can be made to work too, so long as the app developer adds in some hints to tell the Autofill API what to look for.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The Autofill API requires both Android O and support from your password manager app. Fortunately, nearly every major service is on board: Dashlane, LastPass, 1Password, and Enpass have all committed to rapidly supporting the feature. Some are already testing it in beta and will be ready for release as Oreo rolls out to phones.
Easier and more secure
Naturally, this feature will make using Android phones far more enjoyable. Pecking out an email address and password, or a shipping and billing address, is a real pain on a mobile keyboard. But it has big implications for security, too.
Security experts all give us the same advice: use a unique, complex password for every single service you use. But since nobody can remember dozens of unique, complex passwords, we tend to ignore this advice and use the same one or two passwords for nearly everything online. This is a horrible idea. If one service is compromised, the hackers have a password that will work on lots of other sites and services.
The solution is to use a password manager to remember hundreds of unique logins. That’s easy advice to follow on the desktop, but using a password manager on your phone doesn’t have the same one-touch ease, so most users don’t bother. With Android Oreo’s Autofill API, password managers will become such big time savers that you’d be crazy not to use one. And if you’re using a password manager to save time anyway, why not use unique, complex passwords for everything?