6eero / newpass Goto Github PK

Hi! I noticed the following:

GeneratePasswordViewModel.generateRandomPassword() uses java.util.Random -- which is not cryptographically secure -- instead of java.security.SecureRandom.

EncryptionHelper logs plaintext and keys; understandable for debugging but not something that should occur on users' devices.

(Additionally, I noticed the typo "lenght" a few times.)

I am a Chinese user.
Already sent you the Chinese translated version of strings.xml via TG.
Looking forward to the update, thanks!

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Sorry to bother you! I found that when I entered an email to save a message, if the email was incorrectly formatted, the message would still be saved without any feedback telling me that the email was incorrectly formatted.
Describe the solution you'd like
A clear and concise description of what you want to happen.
I wish I could add a review rule for email format to remind me better.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Maybe it would be a better idea to say "create a secure password for NewPass" and "Unlock NewPass" instead of "login to your account".

Essentially I was confused if this is a local account or not. Also "username" should just be "name" as it literally says "welcome back, pablo!" and doesn't need to be entered.

cc @IzzySoft

Description:

Currently, NewPass exports the password database encrypted by the user password entered during the initial setup. However, during the export process, the decrypt method is invoked to decrypt the password column. This is intended to prevent issues with incorrect keys when importing the database, as the import process calls the encrypt method to re-encrypt the entire password column. As a result, even though the exported database is encrypted by the user's password, the password column within this encrypted database is stored in plaintext. This undermines the overall security of the database, as the plaintext passwords are exposed once the database is decrypted with the user's password.

Steps to Reproduce:

1. Set up a NewPass account and create several password entries.
2. Export the password database.
3. Decrypt the exported database using the user password.
4. Observe that the password column within the decrypted database is in plaintext.

Expected Behavior:

The exported password database should have all its contents, including the password column, encrypted with the user password. No plaintext passwords should be exposed within the encrypted file.

Actual Behavior:

While the exported database is encrypted with the user password, the password column within the decrypted database is stored in plaintext, exposing sensitive information.

I see your app reached F-Droid.org now – and your Readme now links to both, F-Droid and IzzyOnDroid. I take it you want to keep your app at IzzyOnDroid then? Just asking to make sure it was not an oversight. Due to the APK size being beyond 15 MB, IzzyOnDroid can currently only keep a single version btw.

Include password strength in the generation process and in the entries themselves

Include uppercase and numbers by default.

Use at least 14 characters.

Why 14? Strength testing tools rank the complexity as 'centuries' when trying the generated passwords from your app with uppercase and numbers using 14 but not less characters.

Steps to reproduce:

• Login
• Go to Settings
• Toggle the dark mode button
• Change language
• Exit the application
• Log back in
• Go to settings
• Try toggling the dark mode button

Observation:
When the button is toggled, the language of the app also changes. This shouldn't happen

Screen recording:
https://github.com/6eero/NewPass/assets/33260602/f0cb2572-43d4-4bdc-a143-6994f6383d83

I would like the application to have the function of activating it as the main autocomplete suggestion, this is a very useful feature when the keyboard identifies the fields to fill in email and password and suggest the data already saved and also ask if the user wants to save or update any credentials.

Thanks for adding Fastlane structures! Could you please slightly adjust full_description.txt? A simple newline (empty line) before the bullet-point list would make it render perfectly as Markdown. You could also add an introductional paragraph:

NewPass is a secure password management application designed to generate and store strong passwords locally on your device. With NewPass, you can create highly secure passwords for your accounts and services without the need to remember them.

(remember to separate that from the "Key features" by an empty line as well). If you wish, you can also use simply HTML formatting, e.g. enclosing "Key features" like this: <b>Key Features:</b>. Optionally, you can make it fully HTML:

<p><i>NewPass</i> is a secure password management application designed to generate and store strong passwords locally on your device. With NewPass, you can create highly secure passwords for your accounts and services without the need to remember them.</p><p><br><b>Key Features:</b></p><ul><li><b>Password Generation:</b> NewPass provides a robust password generator that allows you to create complex and secure passwords tailored to your specific requirements. You can customize the length and the character set (Uppercase, Numbers and Special).</li><li><b>Local Storage:</b> Your passwords are stored locally on your device, ensuring complete privacy and control over your data. NewPass does not store any passwords on external servers, minimizing the risk of unauthorized access (If you uninstall the app, your password are lost!).</li><li><b>AES Encryption:</b> NewPass encrypts all stored passwords using Advanced Encryption Standard (AES) with Cipher Block Chaining (CBC) mode before saving them in the local database.</li><li><b>User-Friendly Interface:</b> NewPass features an intuitive and user-friendly interface, making it easy to generate, view, and manage your passwords. The app offers convenient options for copying passwords to the clipboard and securely sharing them with other applications.</li></ul>

(I've put that into a single line to prevent fdroid from replacing each line break by <br>, which it loves to do otherwise)

Hey,

I've just tested your app and it looks great on my Android. Do you plan to release prebuild version ? If you are interested I can list it on my open source repo at https://openapk.net/ so other people can try it !

Provide user the option to toggle between dark and light mode, with the settings retained.

Right now, the authentication will fail, if we discard the biometric/pattern/pin. In that case, the app should either automatically switch to the password mod, or give the user the ability to toggle between.

Defect: Try using the native back navigation and the top back button to navigate to the previous screen. For example, navigate to the main screen after login, add an entry, come back to the main screen, then go to generate a password, come back to the main screen, and then press the back button.

Expected: The user should exit from the app.

Actual: The user stays on the main screen until and unless you press the back button several times till you exit the app, depending on the back stack.

This defect can be recreated in various flows. PFA the screen recording

It appears NewPass uses AES in CBC mode, this means NewPass has zero encryption integrity what could be considered a massive security flaw. I'd recommend using AES GCM, manually adding integrity checks to CBC using a cipher-based message authentication or using something like libsodium for encryption.

Ideally just use libsodium as it does all the hard work for you.

Do not limit usernames to 10 characters

Accrescent is an alternative android app store.

See their guide: https://accrescent.app/docs/guide/getting-started/

Do not limit the password to 15 characters

Since I’m new to creating APKs, I apologize if I’m annoying you, but could you please give me more comprehensive guidance on how to construct APKs, as I’m just starting out?

Is your feature request related to a problem? Please describe.
1/2

1- allowing more than 30 characters / no limit or 900 for the password, what's the problem? Decryption techniques have evolved, and this application may need the password of a compressed file, for example

2- Allow choosing the languages ​​in which I can write the password, for example, I want the password to contain Chinese, English, Hindi and Arabic characters, numbers as well, and some strange characters that make it impossible

3- Add a special keyboard to the application. I, and some geeks, may not trust the default keyboard for our devices.

4- Add a password to encrypt passwords when I export them (I don't know if this feature actually exists)

5- I hope that the application files will be encrypted inside the root with an encryption password as well, so that the application files will not be read if something goes wrong (idk how or if anybody can do)

6- The creation of the new password depends on the original password, in one way or another. I do not know if this is possible, but I fear that the password will be repeated by chance among some people.

• I'm not dreaming, but this app is amazing with the features mentioned above, I would like to thank the developers for these great efforts

May I ask what android.permission.READ_EXTERNAL_STORAGE (and WRITE) are needed for? With Android-7 being the minimal supported Android version, wouldn't SAF (Storage Access Framework) being more fitting to access the database file(s)?

as the title suggests do you have any plan to add function to import keepass database or even use it as backend?

Hi!

As a password manager, I think it is essential to have a private contact method for security issues so fixes can be prepared before people's data is put at risk.

The repository says it is not yet to be trusted. Those who read the readme would know, but if someone gets this software recommended and went straight to the releases page, or downloaded it directly from f-droid or some other method, they couldn't know that it's not yet considered ready for use. (And with how much engagement this repository already has, I doubt there isn't anybody already actually using it despite the warnings.)

Some common options for vulnerability reporting are

• publishing a PGP or other type of public key on the website to be used for email,
• a form on your site, or
• nowadays GitHub also supports enabling private issue reporting though this requires people to make a GitHub account (this was impossible for a while because the captcha system was broken, besides that the signup page is nearly unusable on cpu graphics as our employer requires, and probably in the future it will necessitate a Microsoft account since they bought GitHub) so I'm not sure I'd recommend that hurdle as the only method when there also exists universally accessible things like encrypted email, but this repository setting has the advantage that it's 5 seconds to turn on

To publish the information on how to report vulnerabilities,

• I personally (as security consultant, but I'm old so take my ideas of what's current with a grain of salt) first look in the readme and also on the website for a phrase like "report a [security issue|vulnerability]", or a "security" entry in the website menu or footer, so I'd put (links to) the info in both of those places, but
• the most standardized method is now technically <domain>/security.txt, though afaik this is not yet widespread (chicken-and-egg problem -- you could be an early adopter here and help the standard!). The .nl registry actually gives you a discount (info in Dutch unfortunately) on your domain name if the domain has a security.txt to stimulate adoption of the standard. Not that you use .nl but I thought that's an interesting fun fact :)
• It could also be included in the repository under /security.md
• Or all of the above :D

Edit: So... GitHub reports I have done a thing which I'm rather certain I haven't done

I can't even access that field to change it, so I doubt I could have set it if I had tried... this wasn't me assigning an incorrect label, don't listen to its lies xD

Include an optional placeholder for additional inputs such as a PIN, a passphrase, or a security answer. Ideally, this placeholder should remain hidden until it's needed. Use an ImageButton to reveal these fields when required.