However, the information (application_id) is provided to the autofill provider, so it's not really fair to say that android itself is vulnerable: specific implementations of the provider may be vulnerable. Even if android could protect against this specific issue, you're still going to be placing a lot of trust in the autofill provider.
Of course exploiting this can be a bit hard:
- All current password managers will show UI before autofilling.
- The app can really grab a password just for itself because of how managers lookup the password.
I imagine password managers on mobile devices will have their own teething problems. I will just be patient and wait for them to mature
I setup my Keepass Plugin to not autofill forms and provide autocompletion only. That way it doesn't automatically spam any logins it can find into whatever form is present on the website.
Then again, since everything uses URLs of the websites, the only credentials a website has access to are it's own...