search

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.6k stars 269 forks source link

"Lock database at screen off" needs a note that makes aware that the database is locked with a delay #1106

Closed kraoli closed 3 years ago

kraoli commented 3 years ago

As a new Keepass DX user (directly bought pro to support this great project) I usually test security related applications very detailed.

Describe the bug This bug is probably not to be a technical problem, rather creating the impression of a bug, I'm not sure if it's best to report it as a bug.

My first impression was that screen off does not lock the database reliable. But I found out that locking the database has a certain delay after screen off, which is very unexpected.

At first I thought this is a serious security bug, but I found this bug report (https://github.com/Kunzisoft/KeePassDX/issues/498) which says that the time is about 1.5 seconds after screen off before it locks., which fits roughly (personally I think it's rather 2 seconds, but it's still in this ballpark).

Can you confirm that this delay is expected, but that locking database after screen off should work 100% reliable besides the delay?

In case this delay is really expected, which is ok when it works at least 100% reliable, please make aware of it by short note in the setting description.

I seriously thought about deinstalling it again and was questioning the quality (which is crucial for security related apps), before I found out that it seems to be expected. I want to prevent that this could mean losing some DX users who are not aware about this expected delay. :-)

To Reproduce Steps to reproduce the behavior:

  1. enable the lock database at screen off option (sorry, since I can't set the english version I'm not sure how to translate better)
  2. lock your device by screen off (usually the power button)
  3. quickly unlock again
  4. when you are really quick, < 2sec, your data base is still open

Expected behavior Instant lock after screen off with this option enabled.

When technically not possible: I strongly suggest to add a note to the description of this setting to make aware of this behavior. Otherwise one may think ( I did) that you experience a serious security issue, that locking at screen of does not work reliable.

Thanks

KeePass Database

KeePassDX (please complete the following information):

Android (please complete the following information):

J-Jamet commented 3 years ago

This is expected behavior, it allows users who manually copy their password to be able to return to the screen they were looking at if they were quick enough to reactivate the screen on their device.

The setting description can be changed to be more precise, what do you propose?

J-Jamet commented 3 years ago

The description has been changed from Lock the database when the screen is off to Lock the database after a few seconds once the screen is off

kraoli commented 3 years ago

Thanks for the reply and good explanation. I understand the idea why it's like this now as well.

When I could choose, I would lock it at once, but at the same time I don't see it as a real problem when it's reliable, which it is, as it's confirmed behavior and I never experienced that it doesn't lock after some seconds..

The updated description is perfect.