keepass2android icon indicating copy to clipboard operation
keepass2android copied to clipboard

Published 20 hours ago verified publisher icon PhilippC

[BUG] app has stopped syncing with remote sftp file

Open timboxyz opened this issue 1 year ago • 4 comments

IMG_20230930_120324350

Checks

  • [X] I have read the FAQ section, searched the open issues, and still think this is a new bug.

Describe the bug you encountered:

I have used the app on my Samsung Tab 2 for several years. However, recently i have noticed it has stopped syncing with the remote master copy via sftp but instead pops up a java error, see attached screnshot.

Describe what you expected to happen:

I expect it to sync as it has done in the past

What version of Keepass2Android are you using?

1.09e-r7

Which version of Android are you on?

7.0

timboxyz avatar Sep 30 '23 11:09 timboxyz

Also happens here, when trying to connect to my Box account via https WebDAV. Has worked for years until a couple of weeks ago. I am on Android 10.

splisp avatar Oct 07 '23 18:10 splisp

The SFTP issue is a duplicate of #2366

@splisp Are you getting the exact same error when using WebDAV (NoSuchAlgorithmException: EC AlgorithmParameters not available) ?

hyproman avatar Oct 09 '23 22:10 hyproman

@hyproman actually no, I get a more generic "An error occured: Connection closed by peer". I didn't notice the different message reported for this bug, sorry.

I have enabled the log message in the app and I notice that there is my password for box in it. It's sent unencrypted as part of the URL:

https://:@dav.box.com/dav///.kbdx

Isn't it a security flaw??? I have moved my db to Google Drive because of the connection issue, but I think I won't switch back to webdav!

splisp avatar Oct 10 '23 09:10 splisp

@splisp No problem. For clarity it might make sense to open a new ticket specifically for your WebDAV issue (I don't have any ideas on how to fix that issue presently; more logging/info would be needed to proceed).

Regarding the security concern, while the logs do contain the username and password in plaintext, they are sent over the wire to the WebDAV server via HTTPS (either BASIC or DIGEST authentication is supported), which is encrypted as long as you're using https when setting up the database connection in KP2A.

I personally agree that it's probably not the best to even log the credentials, especially considering how easy it is to send that log via email through the app. That logging logic has been around since before my time using this app. It would be possible to scrub this data from the logging, but would take a fair bit of work (to do properly so that things don't accidentally leak out in the future, anyway). All that said...I am far from the author/owner; these are just my opinions on it.

hyproman avatar Oct 10 '23 23:10 hyproman