Keepass2Android considered risky according to Google's Security Checkup

[brainplot]

I granted Keepass2Android the permission to access my Google Drive. Today I was checking my Security settings for my Google account and the Security Checkup showed Keepass2Android as a potentially risky application. According to the warning, "the developer's information hasn't been verified by Google" so I figured it's something that should be fixed on the developer's end but I wasn't able to find issues mentioning this here on GitHub.

[Hustensirup]

Every 3rd party access is risky.

[brainplot]

I have a few other apps which can access my data but they are not flagged as risky.

[Hustensirup]

https://support.google.com/cloud/answer/7454865?hl=en I think the Problem is the part with "Verification for apps", this is a lot of work, I don't think that with an app which is not intended to earn money (like the most apps your granted access except chromium which I don't know how different it is from original chrome) you as a one man show would do all this work a bunch of users.

[JohnLGalt]

I've used K2A for a while now and my checkup never lists it as risky. Perhaps you should verify 1) the app is directly from here, and 2) the permissions you've allowed it to have.

On my Taimen running Android Q βeta 4, I only show 2 permissions that I've had to grant explicitly, Contacts and Storage.

Additionally, I'm using Google's Advanced Protection for my Google accounts - so I cannot understand why you're seeing that listed there.

[brainplot]

I have 2FA enabled for my Google account (with all sorts of backup codes and recovery phone numbers) and I checked the permissions I granted the app: Contacts and Storage are the only ones listed. I downloaded the app from the Play Store, here.

[JohnLGalt]

Advanced protection is the one that uses physical security keys - it's a couple of steps above 2fa.

I just checked my account, and there is absolutely nothing showing like what you have in your screenshot. However, with Advanced Protection enabled, 3rd party apps automatically lose (direct) access to Google Drive - it warns you about this multiple times when enabling Advanced Protection.

So, that's the difference between yours and mine. Plus, I'm on v 1.06f and have frozen it (IOW, I have Google Play Store set to never auto update it, and if I run updates manually, it asks me if I want to update or skip it, and I always skip it).

I still use Google Drive to sync my database, I just have the Drive app set that one file to available offline on my phone, and then I have pointed KeyPass2Android to the actual location where the file is stored on the phone, so it doesn't have (or need) access to Google Drive.

HTH

[brainplot]

That's a good solution I had not thought about. By making a file available offline in Google Drive, is it saved in a normal folder (i.e. Download) or is it saved in an internal folder only the Google Drive app has access to?

[JohnLGalt]

Normal folder.

You use the system file chooser, then navigate to the Drive folder in the files app that opens (if you have a different app set as default to navigate files on Android, it may open that instead), then find the file.

On Fri, Jul 12, 2019, 13:05 Gianluca Recchia notifications@github.com wrote:

That's a good solution I had not thought about. By making a file available offline in Google Drive, is it saved in a normal folder (i.e. Download) or is it saved in an internal folder only the Google Drive app has access to?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/PhilippC/keepass2android/issues/850?email_source=notifications&email_token=ABYWSQGBDIEFDRM7GUS7V63P7C2XHA5CNFSM4HXMO55KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ2KMWQ#issuecomment-510961242, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYWSQC7JMIZLH6VGD2Q2S3P7C2XHANCNFSM4HXMO55A .

[JohnLGalt]

That's a good solution I had not thought about. By making a file available offline in Google Drive, is it saved in a normal folder (i.e. Download) or is it saved in an internal folder only the Google Drive app has access to?

Thanks :D

I had to use this solution because of the blocked access to Google Drive when enabling Advanced Protection using my Titan keys. After it did, I initially removed advanced protection from the one account I use with Drive to host my database. Then, after looking around at various solutions, including rclone, a self-configured version of rsync, and others, I determined that Resilio Sync would best serve my needs.

So, I started using that. But I recently moved, and my desktop was out of commission for a while, and my Linux boxes had a local copy of the database from before. So, I started using it, and manually synced it to the phone.

Once I got my desktop back up, I remembered that I always made the file available offline anyway, so I tried it and thankfully it worked perfectly fine, with KeePass2Android not having any direct access to Drive contents. In a sense, I got lucky, but since it worked for me, I figured why not pass it on. TBH, I only got this working myself just a couple weeks ago. Such a simple solution, and yet I never actually made use of it until now.

Glad it could help you out as well, and get rid of that pesky message that you're seeing. For me, it means that I have one less service running on my computer, and phone, and I am back to having the database available anywhere I need it via Google Drive (as in, on devices that don't have the Backup & Sync app, like my Linux boxes, I can simply log into Drive from the web and DL the database at any time that I want).

[PhilippC]

for the records, I have started verification with Google.

[aparedero]

@PhilippC thank you for your dedication on the project, but my hair stands on end when trying to sync with Google Drive, the application ask entire access to Google drive for create, read, edit and delete information on any path.

Dude, that's serious.

[jacopotediosi]

@PhilippC thank you for your dedication on the project, but my hair stands on end when trying to sync with Google Drive, the application ask entire access to Google drive for create, read, edit and delete information on any path.

Dude, that's serious.

@aparedero, please see #622 TL;DR: as stated here and in the other issue, reduce the Google Drive scope permission is difficult at the moment because how the app internally works. If it isn't ok for you, you can just install the Drive App from Play Store and then use the System File Picker and select you file from there using SAF. In this way, you don't allow Keepass2android to access to your google drive at all and the file will be locally synced by the Drive app.

[JohnLGalt]

In addition, I suspect it is also partially the fault on the Google Drive API itself - if you want to create / edit / delete files even in a single location, the API requests permissions to do all of the above across your entire Google Drive repository.

FWIW, I Sync on my PCs via Google Drive but use KeePass2Android to access my KeePass databases directly from Google Drive - and have had 0 issues with KP2A attempting to access anything other than the KP databases I point them to.

But Jacopo's method is the same as I use on my PCs - so it works just as well.

[jacopotediosi]

In addition, I suspect it is also partially the fault on the Google Drive API itself - if you want to create / edit / delete files even in a single location, the API requests permissions to do all of the above across your entire Google Drive repository.

I suspect it too. (How are you supposed to edit files if you can't list content of the drive?) It seems apps need to already know the exact location of the file they want to edit (?) I think it's just an Android decision to force you to use SAF and to abandon Drive APIs.

[aparedero]

@jacopotediosi I mean, I usually interact with 3rd parties applications which uses Google Drive for storing some files, but the permissions are "Files created by this app", not asking the whole drive.

Here is an example of the permissions request: https://4.bp.blogspot.com/-A9vfQ8SpLWo/WMULUvlBccI/AAAAAAAAEjU/SQV3qPohaawkkYfADRnJn-h03NxJ5EDAQCLcB/s1600/pdf%2Bmergy%2B-%2Bapp%2Bconfiguration%2B3.png

[jacopotediosi]

@aparedero Keepass2android does need to read already existent files, not only to create new ones. I didn't find a way to easily access to existent files with reduced permission scope, because we cannot list files anymore with that permissions. "File opened with this app" seems referring to Google File Picker, which is only for webapps.

[JohnLGalt]

Correct. With the system file picker, you can look only for the single file - but if you are using the Drive interface API from within KeePass, it needs the ability to look for a file anywhere you might have stored in your Drive repository. As well as be able to save it anywhere in same said repository. Think backups, for an example, particularly if you're like me and save backups in a folder separate from where the active database resides.

Again, FWIW, Just giving the app the permission to read from and write to any location within the Drive repository does not mean it will mess with files that it cannot open on its own - I, for one, give the developer that much credit. But, if you're worried about the app for whatever reason, Jacopo's method works perfectly fine and you should make use of it.

[GM-Alex]

@JohnLGalt You Google Drive workaround is a life saver. Thanks a lot.

[maltem-za]

If you've come here looking for a way to restrict KP2A's access to your Google Drive with an existing database, and you don't want to use one of the other options already mentioned, see this issue comment.