keepass2android
keepass2android copied to clipboard
PhilippC
Protection against advanced clipboard managers
On my Android device, the stock clipboard manager holds the last 7 items in a buffer, which can be accessed through the keyboard. When KP2A automatically clears the clipboard after copying a password, it does so by copying *** to the clipboard. Unfortunately, it does so only once, so *** is added to the bottom of the clipboard stack, and the recent password clipping just rolls up the stack. This is insecure.
It's nice that KP2A warns that clipboard clearing doesn't always work, but here's a better idea:
KP2A should copy *** to the clipboard not just once when it wants to clear the clipboard, but 10 (or 100) times. That way, the recent password will roll beyond the buffer of most clipboard managers and be lost. If there is no advanced clipboard manager on the device, then no harm will be done from copying *** multiple times, and I assume copying 100 times could happen very quickly. There can even be an advanced setting in KP2A for how many times to copy over the clipboard.
Any word from the developer on this? It seems like a big problem that can be fixed very easily.
While I agree with the request, the entitlement complex you're presenting is pretty absurd. You're free to make a program that does this if you can't wait.
(I've blocked @remanifest. Hopefully someone else will make a meaningful contribution to this discussion.)
I do not recommend to copy any really sensitive information to the clipboard. While it might not be accessible through the clipboard manager, any app on your phone can store (or transmit) any clipboard contents before we try to remove it from the clipboard. That said, I see this as a valid feature request - but there are hundreds of other requests as well, that's why I haven't scheduled it for any concrete milestone yet.
On my Android device, the stock clipboard manager holds the last 7 items in a buffer, which can be accessed through the keyboard. When KP2A automatically clears the clipboard after copying a password, it does so by copying *** to the clipboard. Unfortunately, it does so only once, so *** is added to the bottom of the clipboard stack, and the recent password clipping just rolls up the stack. This is insecure.
It's nice that KP2A warns that clipboard clearing doesn't always work, but here's a better idea:
KP2A should copy *** to the clipboard not just once when it wants to clear the clipboard, but 10 (or 100) times. That way, the recent password will roll beyond the buffer of most clipboard managers and be lost. If there is no advanced clipboard manager on the device, then no harm will be done from copying *** multiple times, and I assume copying 100 times could happen very quickly. There can even be an advanced setting in KP2A for how many times to copy over the clipboard.
why you use clipboard when there is great built in keyboard in keepass2android?
one of main advantages of keepass2android (except many ones like using the main core keepass for file editing/etc) is that it has a keyboard so you can use it for passwords and... without using clipboard.
and in newer android versions even you can use autofill api of system.
or you can install accessibility plugin.
all these options are far more secure than using clipboard.
Even if keepass2android rewrites the clipboard 1000 times before clearing it, if a malware saved it, it won't clear. and also there is many advanced clipboard managers like clipper and clipstack in play store that if you liked to install them (they are really useful) can save your clipboard data indefinitely.
so a malwares certainly will have this feature. and this only adds a false sense of security in my opinion.
Regards.
why you use clipboard when there is great built in keyboard in keepass2android? one of main advantages of keepass2android (except many ones like using the main core keepass for file editing/etc) is that it has a keyboard so you can use it for passwords and... without using clipboard. or you can install accessibility plugin.
Chromebook, for one, still doesn't allow 3rd party keyboards.
Accessibility plugins are no longer allowed by the Play Store, so installing the KP2A plugin requires sideloading the apk file.
Again, on Chromebook, Accessibility plugins are not an option.
all these options are far more secure than using clipboard.
Agreed, but even some insecure options should be up to date with how clipboard managers operate.
Even if keepass2android rewrites the clipboard 1000 times before clearing it, if a malware saved it, it won't clear. and also there is many advanced clipboard managers like clipper and clipstack in play store that if you liked to install them (they are really useful) can save your clipboard data indefinitely. so a malwares certainly will have this feature. and this only adds a false sense of security in my opinion.
Malware is but one threat vector. It is very common for families to hand a phone, tablet or chromebook to someone else to quickly look at something. If there is a Clipboard manager with history, an accidental or quick keypress combo, reveals passwords.
Seems like iterating through a few extra clipboard clear operations, is an easy fix for a simple problem.
Upvote. The entries in the Chromebook clipboard survive even reboot...i think it is security relevant. And it could not be that time consuming to write one more line of code.
for (int i = 1; i < 6; i++) { ...........my current code that pastes 3 asterisks but only 1 time................. }
p.s. until then, one can clear the clipboard manually, just press search-v and than delete each entry.
there is still no way of protecting misuse of clipboard in Android. Don't use it for sensitive information, that's the only advice I can repeat and repeat.