[QUESTION] iOS Keepass Mini has been compromised, what can keepass2android learn from that?

[therealmarv]

It seems that an open source implementation of iOS Keepass Mini has been compromised:

https://old.reddit.com/r/techsupport/comments/13nqarb/suspicious_ios_keepass_client/

I just wonder and open for discussion if there can be any counter measurements which can be implemented for Keepass2Android in regards to this topic to harden Keepass2Android. Having in mind:

• code manipulation (e.g. github credentials stolen)
• Credentials for play store stolen and APK modified.
• Blocking keepass2android completely out of the internet.
• What happens if the author sells right to program or dies (knock on wood).
• Verification (signatures?) of APKs.

The whole topic just made me aware that I have to trust the authors of KeepassXC (desktop) and Keepass2Android (phone) to be always security focused and having the best interest of their users in mind. Was not aware about this weaknesses of my password management system (trust of several entities for extracting/saving my passwords).

[AriehSchneier]

@PhilippC It would be great if you looked into SLSA for the generated app (fully generated in github CI and doesn't require any code to be built on a local users machine):

• Github action that can provide the required workflow: https://github.com/slsa-framework/slsa-github-generator
• Github blog post when it was announced for Go libraries (but is now being expanded to non-Go as well): https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/