search

PhilippC / keepass2android

Password manager app for Android
https://play.google.com/store/apps/details?id=keepass2android.keepass2android
GNU General Public License v3.0
4.87k stars 394 forks source link

[QUESTION] Potential Security Risk with AutoOpen URLs Containing Cleartext Credentials? #2608

Open DennisK90 opened 6 months ago

DennisK90 commented 6 months ago

Version: 1.10-pre

I am using Keepass2Android and generally find it very useful. However, I have a concern regarding the AutoOpen feature. When I create a child database and link it via WebDAV, the AutoOpen entry in the parent database contains the URL to the child database with the username and password in cleartext.

Does the presence of cleartext credentials in the URL pose a security risk when Keepass2Android establishes the connection to the child database? Specifically, I am worried about potential vulnerabilities during the transmission or storage of these credentials.

Thanks for any Help!

mad-ady commented 2 months ago

I'm trying to use AutoOpen databases over WebDAV as well, with Keepass2Android, but I currently use a URL like http://192.168.1.10/keepass/family.kdbx (set from Windows KeePass) and when opening the master database I get a little toast: "An error occured: username and password cannot be null". I suspected it's the mising webdav credentials, but I couldn't find where to set them until your post gave me the idea to use http://user:password@192.168.1.10/keepass/family.kdbx as URL. Thanks, now they work!

Regarding security - if you use WebDAV over HTTP, over the internet then yes, your WebAV credentials are sent in clear, but only if you can make a TCP connection to the server (authentication is sent after the TCP session is established). But someone cound impersonate your server and get your credentials without you knowing.

The solution is either to use WebDAV over HTTPS which sends the credentials over an encrypted channel, or use some form of VPN between your phone and your webdav server (which encrypts all traffic).

mad-ady commented 2 months ago

In the mean-time I've done some reading. I don't have to use a URL in the form http://user:password@192.168.1.10/keepass/family.kdbx, which is displayed in clear inside KeePass, I can supply the WebDAV credentials inside Advanced -> IocUserName and IocPassword.

DennisK90 commented 2 months ago

Thanks for sharing! But where can I find Advanced -> IocUserName and IocPassword in Keepass2Android?

mad-ady commented 2 months ago

I don't know - I haven't seen the fields in the Android app. But you can set them in the database using the Desktop Keepass2 client. You need to edit the specific entry for the child database.

PhilippC commented 2 months ago

if you select "Open database" - "HTTPS (WebDav)" you can see a form with the fields "URL", "Username" and "Password". Did you use that? If yes, where can you see cleartext credentials? (Ideally, please share a screenshot with the credentials blurred)

mad-ady commented 2 months ago

@PhilippC yes, when adding a new database I do get that dialog, and it works fine: https://imgur.com/a/3ER5obg

However, when using the AutoOpen feature, I don't get prompted for HTTP credentials, and it tries to use null instead for child databases.

Regarding seeing the password in the clear - you can see it in keepass if you use a child db url in the form of http://user:pass@server/db.kdbx.

Thanks