I would like to ask how the application currently attempts to assure security for the user, in the case of an attack or theft of the device, against extraction of locally stored credentials, either the passwords managed by the system, or the master password used for their decryption.
The question is prompted by the observation that the application supports local storage of the master password, even without protection of the application by a PIN. Such an observation suggests that the application, at least in some cases, will store the master password without any security having been added, additional to that which protects the overall device and installed system.
It would be concerning if a PIN, even when assigned, were not being used to protect the master password as persisted on local storage.
The most apparent questions are as follows:
- In the case that the master password is stored locally, and the application is configured with a PIN, is the stored master password encrypted with the PIN?
- In either case, are the managed passwords encrypted by either the master password or the PIN?
As has been observed in other issues submitted, the application currently has no protection against brute-force attack on the PIN.
Ideally, both the master and managed passwords should be stored as encrypted, requiring for decryption the application PIN, if any is assigned. Further, to protect against brute force attacks, at least the master password should be expunged from the device after several successive failed attempts to unlock by entry of the PIN. After such precautionary purging, managed passwords should be inaccessible from the persistent storage device without circumventing string encryption.
All observations were made from the current release, version 1.0.10, running on LineageOS for MicroG 21.0.
I would like to ask how the application currently attempts to assure security for the user, in the case of an attack or theft of the device, against extraction of locally stored credentials, either the passwords managed by the system, or the master password used for their decryption.
The question is prompted by the observation that the application supports local storage of the master password, even without protection of the application by a PIN. Such an observation suggests that the application, at least in some cases, will store the master password without any security having been added, additional to that which protects the overall device and installed system.
It would be concerning if a PIN, even when assigned, were not being used to protect the master password as persisted on local storage.
The most apparent questions are as follows:
As has been observed in other issues submitted, the application currently has no protection against brute-force attack on the PIN.
Ideally, both the master and managed passwords should be stored as encrypted, requiring for decryption the application PIN, if any is assigned. Further, to protect against brute force attacks, at least the master password should be expunged from the device after several successive failed attempts to unlock by entry of the PIN. After such precautionary purging, managed passwords should be inaccessible from the persistent storage device without circumventing string encryption.
All observations were made from the current release, version 1.0.10, running on LineageOS for MicroG 21.0.