Hacker Remix

Android "Password Store" client for pass discontinued

93 points by felixc 3 days ago | 55 comments

grouchypumpkin 3 days ago

I worry a lot about password managers on mobile. Such as:

* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?

* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?

* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?

wvh 3 days ago

Does that not apply to anything in life? How difficult is it to get code into any open-source software package or distribution really? I work in high-security environments, and I'm always wondering how you can really guarantee that any Debian, Ubuntu or Arch developer is honest and not compromised themselves, any software package installed is 100% clean, and any software library module and container image is fully checked. And that's not getting into tin foil hat assumptions about a shady government agency having access to the major app stores, Github, common distributions or email hosters.

There simply is no way anymore to check the several million lines of code even a minimal setup requires somewhere in the stack. Even an in-depth code review of a medium sized web application – with deps – has already become a gargantuan task most companies simply can't afford.

prmoustache 3 days ago

> Or maybe not?

This.

It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.

But adding backdoors and vuln, yes totally possible on random products that person would be affected to. There is review fatigue the same way there is fatigue in a lot of processes.

PinguTS 3 days ago

> It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.

There are lots of examples at almost all the fortune 500. Because they do not sneak in as just some random employee.

Cisco is very well known for backdoors in their equipment.

azurezyq 3 days ago

Adding a backdoor is not the difficult part, leaving no trace is. People don't know who you are on github, but it's easy for top name companies to track who created the backdoor in great detail. Actually the power of tracing real person is one of the the best defenses.

KeePassium 3 days ago

> Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?

The more I think about it, the better I understand TrueCrypt's sudden demise.

hggigg 3 days ago

I would tend to trust Apple more as they define attack vectors and mitigations in their platform security guide. Also they have a holistic approach to this from hardware through to software, not just an app tacked crudely onto whatever APIs were lying around.

I would NOT trust Microsoft though. I've had enough problems with Authenticator and so have other users in our org that I refuse to put data near it. Not concerned so much about other people getting access to it but me losing my data.

too_damn_fast 3 days ago

In the past two days, the official Syncthing Android client has been discontinued, making the use of KeePass harder. Bitwarden has been trying to move away from a fully FOSS system. And now this?

prmoustache 3 days ago

A fork of syncthing had been in development and released for a while though, so use of keepass isn't really getting harder unless this developer also pull the plug. https://f-droid.org/en/packages/com.github.catfriend1.syncth...

dailykoder 3 days ago

I've been using keepass for quite a number of years now. I have my database and a security key. I sync my database with dropbox (because I am too lazy to self-host something like nextcloud) between devices and just manually copy my key on everry device. My key was never synced through the internet.

I hope that's secure enough and works fine for me. I guess syncthing is just smaller and obviously doesn't need a third party?

kreyenborgi 3 days ago

At least the Play Store version has: https://github.com/syncthing/syncthing-android/issues/2064 But isn't https://f-droid.org/en/packages/com.nutomic.syncthingandroid... still being kept up-to-date?

I switched to f-droid at least, remember to Backup your config before uninstalling the Play Store version.

zinekeller 3 days ago

It's discontinued, period (https://github.com/syncthing/syncthing-android/issues/2064#i...). The fork seems to be fine currently though.

tjoff 3 days ago

> Bitwarden has been trying to move away from a fully FOSS system

Details?

josephcsible 3 days ago

https://news.ycombinator.com/item?id=41893994

felixc 3 days ago

“pass” in this context refers to a GPG-encrypted file based password manager: https://www.passwordstore.org/ https://en.wikipedia.org/wiki/Pass_(software) https://wiki.archlinux.org/title/Pass.

“pass” itself can be used in many contexts, but is primarily a desktop command-line tool. “Password Store” is the Android client for it.

gurjeet 3 days ago

Shameless plug: A few months ago I wrote a blog post [1] about integrating PasswordStore + GnuPG + TouchID on MacBook, and used that to automate my work VPN (Cisco AnyConnect) auto-connection [2], hence avoiding the need to interact with a very bad UI that is AnyConnect.

Hopefully others find it useful.

[1]: https://gurjeet.singh.im/blog/passwordstore+gnupg+touchid

[2]: https://gurjeet.singh.im/blog/cisco-anyconnect-vpn-automatio...