Saved Passwords & AutoFill

Hermit supports AutoFill on Android Oreo!

In Android Oreo, Google introduced the AutoFill API which allows any app to save usernames and passwords using any password manager. Hermit fully supports this, so you should see a prompt to login to all supported sites when using Hermit on Android Oreo.

Once logged in, Hermit will keep you logged in to most sites you visit.

Some sites allow you to stay logged in permanently (e.g. Facebook), but others require you to login once every week or every month. Whether to ask you to login again every few days, or keep you logged in forever, is a decision that is made by the site itself, not the browser.

Google removed the savePassword API

On Android versions Lollipop, Marshmallow, and Nougat, saving usernames and passwords is not supported because Google removed the Android API that used to make to possible.

From developer.android.com:

void savePassword (String host, String username, String password)
This method was deprecated in API level 18.
Saving passwords in WebView will not be supported in future versions.

The risk that Google is trying to address is that a malicious app developer could theoretically harvest all users’ passwords this way. We don’t agree with this assessment because whether or not a user trusts an app developer should be a decision to be taken by the user, not by the OS vendor. And if a malicious app developer really wanted to hijack a user’s session by assuming their identity, they can still do it today by stealing cookies.

Removing the username/password saving API just penalizes all users and all app developers with a bad user experience, while not actually solving the “problem” completely.