Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #22: Clear password after login button got pressed #23

Merged
merged 2 commits into from
Jan 14, 2023
Merged

Issue #22: Clear password after login button got pressed #23

merged 2 commits into from
Jan 14, 2023

Conversation

philipp-reinhardt
Copy link
Contributor

No description provided.

@GleammerRay GleammerRay mentioned this pull request Dec 3, 2022
Closed
@GleammerRay
Copy link
Collaborator

GleammerRay commented Dec 3, 2022
edited
Loading

entered passwords stay in memory and could be read out by an attacker

I believe that if an attacker is able to read user's program's memory, it's a security misconfiguration issue and not directly related to the security of Passy. Passy does not provide any interface for inter-process communication, therefore making it insusceptible to this kind of attacks. If an attacker has admin access to a machine it should be clear that all passwords currently loaded in Passy will be exposed to the attacker once the user opens the program, just like it is with any other program or password manager.

Currently Passy is using a custom CSV format which is then encrypted to store data, with all data being loaded at all times after user logs in. Separate password entries are stored at separate lines, even after encryption.

As a possible improvement, passwords could have only their nickname, username and tags (and possibly email) loaded at all times, with the rest of the data loaded on demand, so that only one password is exposed at a time.

The concrete implementation I have in mind is storing passwords metadata in a file (namely passwords_meta.enc). Because there is one password per line in passwords.enc, it is possible to store their line index in that metadata file, so that they can be loaded on demand from that file.

Same idea can be applied to the rest of the data (notes, cards, IDs, identities).

@GleammerRay
Copy link
Collaborator

GleammerRay commented Dec 3, 2022
edited
Loading

As for the screen caching, I don't think there is any, however can't confirm since I don't know the inner workings of the Flutter engine. I would consider it safe to assume that there isn't any, since:

  1. Flutter engineers have been trying to make Flutter as universal as possible, for all kinds of applications, secure or not.
  2. Making variable value caches does not make sense in the context of Flutter's state engine, the whole point of it was to separate UI from logic, making such variable caches useless for performance.

@philipp-reinhardt
Copy link
Contributor Author

Hi @GleammerRay ,
thanks for your detailed response.
I was just thinking to reduce the attack vector by having as little as possible data unencrypted in the memory at a time. I like the idea to have such data in memory only on demand 👍

Regarding caching: I just remembered plain old android activity which can be kept in memory until it is used again. Not sure how flutter is translated into the android world though.

Thanks

@GleammerRay
Copy link
Collaborator

No problem.

I'm pretty sure Flutter only uses one activity for an app. In my case its two because I also have an autofill activity. I think that flutter uses its own screen management instead of relying on Android's implementation.

@GleammerRay GleammerRay changed the base branch from main to dev January 14, 2023 15:23
@GleammerRay GleammerRay merged commit 4e1d278 into GlitterWare:dev Jan 14, 2023
@GleammerRay
Copy link
Collaborator

entered passwords stay in memory and could be read out by an attacker

I believe that if an attacker is able to read user's program's memory, it's a security misconfiguration issue and not directly related to the security of Passy. Passy does not provide any interface for inter-process communication, therefore making it insusceptible to this kind of attacks. If an attacker has admin access to a machine it should be clear that all passwords currently loaded in Passy will be exposed to the attacker once the user opens the program, just like it is with any other program or password manager.

Currently Passy is using a custom CSV format which is then encrypted to store data, with all data being loaded at all times after user logs in. Separate password entries are stored at separate lines, even after encryption.

As a possible improvement, passwords could have only their nickname, username and tags (and possibly email) loaded at all times, with the rest of the data loaded on demand, so that only one password is exposed at a time.

The concrete implementation I have in mind is storing passwords metadata in a file (namely passwords_meta.enc). Because there is one password per line in passwords.enc, it is possible to store their line index in that metadata file, so that they can be loaded on demand from that file.

Same idea can be applied to the rest of the data (notes, cards, IDs, identities).

Continuing the conversation regarding random data access at #25

@GlitterWare GlitterWare locked as resolved and limited conversation to collaborators Jan 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@philipp-reinhardt @GleammerRay