Previously, I wrote about
security problems inherent in Android 8.0���s autofill system.
Google basically dumped security problems onto the developers of autofill
services, and then did not document what autofill service developers
needed to do.

In an update yesterday to
the still-locked security issue,
Google pointed out that they have now improved the JavaDocs to discuss these
issues more and have updated their sample app
to demonstrate these approaches.

I have updated my
white paper
to match. I have not tested their revised sample app.

My mission was to try to get autofill fixed in Android 8.0 itself. I failed in
this regard, as autofill security is now the responsibility of autofill services.
But, at this point, I leave it up to the regular cadre of Android security
researchers to try to identify flawed autofill services or to poke other holes
in Android 8.0���s autofill system.

Writing an autofill service is a very niche topic, and so it does not seem to
make sense for me to invest a lot of time in trying to improve upon Google���s
sketchy instructions on the subject. If you would like me to try to write
more about this, please let me know, as I may
try to do more here if there is sufficient interest.