search

Kin69 / EasyNotes

EasyNotes: Jetpack Compose MVVM for seamless note-taking. Effortless creation, editing, and organization.
GNU General Public License v3.0
333 stars 26 forks source link

[feature request] encrypted notes vault #15

Closed 4rtemis-4rrow closed 2 months ago

4rtemis-4rrow commented 4 months ago

title says it all, if I knew kotlin I'd have implemented this myself, just an encrypted password protected notes vault

Kin69 commented 2 months ago

Hey @4rtemis-4rrow, when opening the vault, would you prefer to enter a password each time or have it securely stored (encrypted) in the app? Additionally, should we include biometric authentication for opening?

serrq commented 2 months ago

Stored in keychain plus 6 digits numpad unlock (optional).

4rtemis-4rrow commented 2 months ago

for me personally, I'd prefer to enter the password every time, but that's just me, after all, I do value privacy and security more than user friendly-ness

serrq commented 2 months ago

The vault remains encrypted at rest. The numpad just unlock the app, not the vault.

Okay this is a vulnerability, but my main need is defending the vault (at rest) when it is stored in a usb key.

In addition, the numpad can be trained to detect multiple attempts and to respond with defensive actions if under attack. For example, after three wrong attempts it may require the master password.

Kin69 commented 2 months ago

I've implemented a secure password mechanism using a vault button that prompts for a password. For enhanced security, I've utilized EncryptedSharedPreferences provided by Android. When you first enter a password, it's securely stored. Subsequently, the application uses this password to decrypt notes stored in a vault. Each time you access the vault, you must enter the password again.

Even if someone were to gain unauthorized access to the device and database, they would only see encrypted names and descriptions of the notes within the vault. The stored password in preferences is also encrypted, ensuring it remains inaccessible.

Additionally, due to vulnerabilities associated with brute force attacks, I have decided against implementing a numpad for entry.

serrq commented 2 months ago

Security first approach. It is okay for me.

serrq commented 2 months ago

When the newest apk will be installable for my device? Crashes when I try to install a new version.

Kin69 commented 2 months ago

You'll need to wait until I release version 1.3 on F-Droid. If it doesn't update, I'll look into it.