WebApps
WebApps copied to clipboard
tobykurien
Save login data
Please consider adding a basic wallet to save credentials for logins. Cab be protected by a master password or fingerprint.
Great app so far!
I would like to understand this request better. Why do you want to save credentials? Once you're logged in, you generally stay logged in, so you usually only need to enter credentials once.
I mean for online services like an email interface that you want in a sandboxed environment. Modern browsers have wallets for such. Putting an icon on the launcher and requiring to scan your finger is convenient and secure, I would say. Some online services might be able to logon via cookie, others don't.
@tobykurien there are services with short-lived sessions, where you need to login every time you want to use them. For example, bank accounts.
I've thought about doing a fork of this app with an integrated password manager - like a combination of this and KeePassDroid. It would look like this app with an option to load a KeePass database, which would populate the list of web apps. Then you'd be able to use the credentials from KeePass to login to the web apps. It could also be a way of loading/unloading different sets of WebApps by loading/unloading different databases. There'd be some details to work out though.
I'd probably recommend very specific features like this NOT be implemented into this app to keep it simple though. (Unless the author wants to, but I like the current approach of focusing on certain sandboxing/security features without trying to do everything)
Thanks for the comments. I personally don't use KeePass, I use a password hasher like this:
https://milliways.cryptomilk.org/passhash.html
I believe this to be best practise because your passwords are never stored or sync'd anywhere, making everything simpler and yet more secure at the same time. I would be happy to add this to WebApps, however users would need to change their passwords if they aren't already using this method. I don't want to be storing passwords in the app - I am not a cryptographic expert and can't guarantee safety of stored passwords.
I'd support any method that supports saving credentials easily. Hashing also needs a master password as salt, so it's basically the same if you save that or the original password. Doesn't Android come with some kind of encrypted data storage which could be unlocked using password/fingerprint?
Yeah, I've actually been using something similar for generating passwords on the fly without ever storing anything, but have been rethinking it lately - if a website asks you to change your password, you have to do something like change your master password (and then it's a chore to keep all your passwords in sync with each other) or add/increment a number on it before hashing - essentially a salt - and then you have to remember all these salts for different sites. Storing those might still be better than storing credentials though.
Anyway, as there's so many different ways to manage credentials, it's probably better left for other apps to handle - newer versions of Android have an Autofill API. I'm a little wary of that though because you have to be sure apps can't trick it into autofilling to grab your credentials or any other personal information it can fill in - and that it doesn't fill in/share more information than you intended. I'm sure Google had this kinda stuff in mind though, but I haven't read into how it works yet.
The idea of extending this app with KeePass integration just struck me as neat because it could be a way of storing both the credentials and the list of sites, but I wouldn't recommend it for the mainline.
Up to the author if a button or something to fill in a generated password should be added, just wanted to say I do like the things the app is focused on and probably wouldn't want to see it bloated with any specific credential storage scheme.
Let me speak from my heart )) As many sites kick you out quite frequently I think that at least the userid should be made easy reachable. I see two options:
- trace login pages, remember userids. Just like most browsers do
- have a list of userids in app and insert em through the menu.
I'd surely prefer seeing https://github.com/tobykurien/WebApps/issues/102 implemented but both features can (and probably should) coexist. Just my IMHO.
An API or companion app with corresponding functionality would certainly be best so that as few as possible things have to be implemented within the webapps app. See Android keystore, autofill and fingerprint APIs. Ideally, if someone could find a library which would wrap these to implement a simple private credential store...
Though really an app's data should be protected by the Android sandboxing/security model, except for /sdcard for data that can be shared with other apps. It only really becomes a problem if an attack manages an exploit that breaks the security model and allows it to read the data of other apps - or of course if the user roots their phone and breaks the security model themselves.
Android 8 autofill solves this problem by allowing apps like KeePass to autofill forms and passwords on longpress. I tested this with the TinyKeePass app and it seems to work as an autofill service.
On May 4, 2018 10:39:07 PM GMT+02:00, troopermax [email protected] wrote:
Though really an app's data should be protected by the Android sandboxing/security model, except for /sdcard for data that can be shared with other apps. It only really becomes a problem if an attack manages an exploit that breaks the security model and allows it to read the data of other apps - or of course if the user roots their phone and breaks the security model themselves.
-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/tobykurien/WebApps/issues/98#issuecomment-386728275
-- @tobykurien | https://tobykurien.com
Yeah, I've actually been using something similar for generating passwords on the fly without ever storing anything, but have been rethinking it lately - if a website asks you to change your password, you have to do something like change your master password (and then it's a chore to keep all your passwords in sync with each other) or add/increment a number on it before hashing - essentially a salt - and then you have to remember all these salts for different sites. Storing those might still be better than storing credentials though.
Just in case you are interested, there is open source an App who does exactly that for you: You can add the salts and settings for each account you want to generate passwords for. And it lets you increase the version number for a password change if needed while showing you the old and new password once to change it on your account.
https://f-droid.org/packages/org.secuso.privacyfriendlypasswordgenerator/
This is needed so when you have all of these forum webapps you do not need to log into your accounts all the time.
Please do allow the ability o have multiple webapps of the same website to allow us to manage multiple accounts on that website (Such as multiple email accounts from one email provider)
Multiple instances is already supported, simply type the url in again, check the box to force a new sandbox, then save that as a new instance.
This is a feature I was missing too and a no brainer, Have it be an optional setting one can turn on. Ask if they want to save their credentials and store it in the Android keystore. Super simple and good if sites ever kick you out. The app is supposed to support back to Kitkat it looks like (or Jellybean, whatever). I'm not using 8 either so autofill isn't an option and this would add to the app while being simple enough. Keepass integration would be cool, but out of scope I would agree even though I use keepass.
I suppose this is the thread to comment in. Having issue with GitHub now. As of late it doesn't keep the login which is not a problem. I'll use KeePass to login but after entering my 2FA code I get a blank page telling me cookies are required. But even before that I would seemingly log in okay but wind up at the main page, not logged in. Not sure what's going on but it happens across all of my ROMs.
Currently on WebApps 3.20.
Well, for me, AutoFill does not work within WebApps… nothing shows up to unlock my password database. How'd you get it to work? Any specific settings required?
Android 8 autofill solves this problem by allowing apps like KeePass to autofill forms and passwords on longpress. I tested this with the TinyKeePass app and it seems to work as an autofill service. … On May 4, 2018 10:39:07 PM GMT+02:00, troopermax @.***> wrote: Though really an app's data should be protected by the Android sandboxing/security model, except for /sdcard for data that can be shared with other apps. It only really becomes a problem if an attack manages an exploit that breaks the security model and allows it to read the data of other apps - or of course if the user roots their phone and breaks the security model themselves. -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #98 (comment) -- @tobykurien | https://tobykurien.com
For me right now on XenonHD Oreo, autofill with Keepass2Android and WebApps is working. In most cases a simple tap in a field brought up the kp2a dialogs/popups automatically. In a couple of cases I had to longpress first to invoke autofill.
No specific settings other than battery optimization off. Same on Pie.
I would like to create a web app for my coingecko account but every time I launch the web app or even go to the tab that has coingecko logged in in my browser, it will log me out and ask me to log in. In my browser I saved the email and password so I can easily login again. Please consider doing the same for webapps and have a way to manage passwords for each web app.
Yes, autofill deprecates this FR on Android 8+ @marcdw1289, I don't even need to turn off battery optimization with Firefox Lockwise.