This project has moved and is read-only. For the latest updates, please go here.

Keepass2Android Offline and cache directory storage

Nov 20, 2013 at 1:49 AM
I have a question for you about the Offline version of Keepass2Android. I have already copied my KDBX file onto the SD card so Keepass2Android can see it. However, to the best of my understanding, there is no security on the external directories.

Would it be possible to have the Offline version offer to move a key database into it's private storage when you first open it? This way other applications would be unable to access the databases and it seems like this would increase the security of the program.
Nov 20, 2013 at 6:07 PM
I wouldn't consider this a big issue as the database is safely encrypted. If you have the database on a Windows PC, you'll certainly have many other points where the file can be accessed by other applications.
On the other hand it's certainly a nice suggestion. It probably would require to have some sort of export functionality to back up the database, right?
Nov 20, 2013 at 7:32 PM

I guess it depends on really how paranoid you are about the location of the key database. Since the key database has no built-in brute-force protection, I figure I should do my best to keep it from leaking out anywhere. As it happens, I run KeePass on a Linux machine so I do use a separate user ID for the KeePass application and this allows me to secure the key database. On Windows, I believe you can do similar things albeit a bit more difficult. However, on a Windows machine it is easier to install application firewalls to ensure that only applications you know and trust can get to the Internet. This does not (of course) protect them from stealing your files.

In my personal use case, I don't update passwords on my Android. Therefore, an export function is not as important to me as the import function. I am not an Android programmer but I would suggest for the export function that you can simply invoke the proper Intent to share a file. This would allow you to use an application like GMail, Box, Dropbox, ES File Explorer, or other network enabled program to get the key database off of the Android device without having to write a complex export function. This also means that you still don't need network access from Keepass2Android - to keep the Offline version.

I really love the idea of the key database being protected. There are so many applications I put on my phone that have full Internet access. In theory, I really trust them all, but in practice I would rather have security in place before I have a problem.

This is why I am so interested in the Offline version. I know there is no way for Keepass to leak any data and by being able to import the database into the private area, I am now confident that there is no way for Android to leak the database.

Thank you for considering this enhancement request.
PS If it takes a few beers to help this happen, I am all for that. Just let me know.
Nov 21, 2013 at 1:36 AM