Security of Master Password's Android App
Hello everyone,
I am seriously concerned about the security of Master Password's Android app. Once I enter my master password, it is saved in the application until the app is killed. I would have expected my master password to be purged as soon as I leave the app / copy a derived password. I try to quit the app after using it every time but yesterday I forgot and when I opened the app today my master password was still there!
On another note, please use code obfuscation before deploying
the app next time. Right now it is incredibly easy to decompile,
modify and recompile the app. Attackers could easily offer a hacked
version of the app for download and have all entered master
passwords sent to them. Of course obfuscation cannot prevent such
attacks but at least it makes it harder for adversaries.
I have not checked but I also presume the app does not perform any
integrity check? This would be another serious issue needing to be
addressed.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Maarten Billemo... on 06 Sep, 2014 06:18 PM
Thank you for your message!
First of all, please note that the status of the Android application is currently "technical preview"/first beta. That's also why it isn't on the store as it is now.
On your concerns:
Maarten Billemont closed this discussion on 06 Sep, 2014 06:18 PM.