nice online features

Mar 16, 2013 at 8:19 AM
As I cannot get in touch otherwhise (than the comment in german play store) I'd like to THANK you for you efford and nice work. I used to wait literally years for a v2 to come to being able to use it on ubuntu / windows / android.

Further (here comes the main & luxury part) I accompany to others, who stated they like to have other kinds of online access to a central stored keepass file.

Since you have taken some efford to get k2a running here are my wish and suggestion:
  1. neat luxury demands like ftps / sftp / google drive access (others will be asked for)
  2. I am really willing to pay for such option
  3. will there be a way to buffer changes while connection is bad and is there a way keeping data save buffered while the connection is bad (yes, also in my country)?
Coordinator
Mar 18, 2013 at 5:16 AM
I am currently investigating options to add such online features. The problem is that most API are not directly available for mono for Android. I'll add a few "issues" so people can vote for their provider of choice.
Mar 27, 2013 at 8:13 AM
"Missing interface makes smartphone password managers unsecure"
Suppose, this theme will be quit popular in the next time, so I quickly have translated the article for you.

perhaps there will be a translation on http://www.h-online.com/ in the next couple of days.)

"Missing interface makes smartphone password managers unsecure

developing a PW manager on android ist not a simple task - the API is missing. there are rules other than on desktop pcs.

the pw manager annot link directly into the browser and also has to be available be usable by apps. (that i don't understand, but not important).
due to the missing api for integrating pw manager into brwwser or apps the developer solve this problem on their own unsecure way: they use the OS-cipboard to deliver logindata to browser or apps.

via clipboard the users also can copy thier logindata from the pw manager to insert this into apps or browser. this is a problem due to the clipboard is a global ressource, which every app can access. even worse: there is a system wide messaging service telling apps each change of the clipboard:
(android.content.ClipboardManager.OnPrimaryClipChangedListener).

...which can be used by trojans...
the researchers prooved this by their demo PWSniff, which doesen't even need any permissions to do so. the prog searches and collects the demanded data from the phone, which only has to be combined.

if inserting text from well known pw manager there is supposingly a url, account name or password. the next user selected app is supposingly the receiver of the data.
with GET_ACCOUNTS sniffer also can read username of the Andorid AccountManagers. (or the Android AccountManager).

Via actual opened connections the sniffer can find out, what server the password ist for. this info is delivered by ProcFS for all apps (via /proc/net/tcp).
Last ist to deliver the collected data to an external server. the implemented (?) PWSniff does this without permission for internet access. it opens after switching off the display a url with the system browser.

the researcher contacted pw manger developers and asked them, how they come to using the clipboard. but one they answered this has been a decision between usability and security and even better than not having a pw manager and always to use the same pw. the dev. all critizised the missing android support for pw managers.

the demand/use of pw managers is confirmed by the scientists. a further research showed two uses of andriod/mobile pw managers:
1. standard encryption of the android browser is told to be unsecure
2. worry about Google collecting (harvesting) all login data"

Hope, this is not to hard stuff.
Greetings Stefan








2013/3/18 PhilippC <notifications@codeplex.com>

From: PhilippC

I am currently investigating options to add such online features. The problem is that most API are not directly available for mono for Android. I'll add a few "issues" so people can vote for their provider of choice.

Read the full discussion online.

To add a post to this discussion, reply to this email (keepass2android@discussions.codeplex.com)

To start a new discussion for this project, email keepass2android@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com


Coordinator
Apr 4, 2013 at 2:15 PM
I am currently developing a KP2A keyboard which can be used in order to avoid usage of the clipboard to circumvent password sniffers.