-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #22: Clear password after login button got pressed #23
Conversation
I believe that if an attacker is able to read user's program's memory, it's a security misconfiguration issue and not directly related to the security of Passy. Passy does not provide any interface for inter-process communication, therefore making it insusceptible to this kind of attacks. If an attacker has admin access to a machine it should be clear that all passwords currently loaded in Passy will be exposed to the attacker once the user opens the program, just like it is with any other program or password manager. Currently Passy is using a custom CSV format which is then encrypted to store data, with all data being loaded at all times after user logs in. Separate password entries are stored at separate lines, even after encryption. As a possible improvement, passwords could have only their nickname, username and tags (and possibly email) loaded at all times, with the rest of the data loaded on demand, so that only one password is exposed at a time. The concrete implementation I have in mind is storing passwords metadata in a file (namely Same idea can be applied to the rest of the data (notes, cards, IDs, identities). |
As for the screen caching, I don't think there is any, however can't confirm since I don't know the inner workings of the Flutter engine. I would consider it safe to assume that there isn't any, since:
|
Hi @GleammerRay , Regarding caching: I just remembered plain old android activity which can be kept in memory until it is used again. Not sure how flutter is translated into the android world though. Thanks |
No problem. I'm pretty sure Flutter only uses one activity for an app. In my case its two because I also have an autofill activity. I think that flutter uses its own screen management instead of relying on Android's implementation. |
Continuing the conversation regarding random data access at #25 |
No description provided.