Security of Master Password's Android App

's Avatar

masterpassword

05 Sep, 2014 02:30 PM

Hello everyone,

I am seriously concerned about the security of Master Password's Android app. Once I enter my master password, it is saved in the application until the app is killed. I would have expected my master password to be purged as soon as I leave the app / copy a derived password. I try to quit the app after using it every time but yesterday I forgot and when I opened the app today my master password was still there!

On another note, please use code obfuscation before deploying the app next time. Right now it is incredibly easy to decompile, modify and recompile the app. Attackers could easily offer a hacked version of the app for download and have all entered master passwords sent to them. Of course obfuscation cannot prevent such attacks but at least it makes it harder for adversaries.
I have not checked but I also presume the app does not perform any integrity check? This would be another serious issue needing to be addressed.

  1. Support Staff 1 Posted by Maarten Billemo... on 06 Sep, 2014 06:18 PM

    Maarten Billemont's Avatar

    Thank you for your message!

    First of all, please note that the status of the Android application is currently "technical preview"/first beta. That's also why it isn't on the store as it is now.

    On your concerns:

    1. We will definitely be making improvements to the confidentiality of your master password and other sensitive information. There's a lot of things to consider on this front, and the app will not hit the Play store until it is full and ready on this front.
    2. I have very little interest in obfuscation. While I may include a ProGuard phase for trimming the binary, I see little to no benefit at all in obfuscation. First of all, obfuscation has close to zero relation to actual security against the type of aggressors you really need to worry about; secondly, Master Password is fully open source and GPL licensed. Trying to obfuscate the source in the binary when it's fully public on GitHub is pretty ridiculous. I'm willing to investigate what steps can be taken to guard against masking a custom Master Password build as an official one, but please don't expect miracles on this front: Any client-side code is nearly completely out of my hands and most any protections against client-side injection are fatally flawed while serving mainly your false sense of security.
  2. Maarten Billemont closed this discussion on 06 Sep, 2014 06:18 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

09 Oct, 2023 03:28 PM
09 Oct, 2023 02:56 PM
22 Jun, 2022 11:22 AM
02 Feb, 2022 02:22 PM
25 Jan, 2022 11:25 PM

 

31 Dec, 2021 11:42 AM
22 Dec, 2021 06:41 PM
04 Nov, 2021 01:24 AM
30 Oct, 2021 08:29 PM
21 Oct, 2021 08:44 AM
14 Sep, 2021 08:02 AM