atomuspilius
commented
4 months ago Closed SavoryVegetable closed 2 months ago
atomuspilius
commented
4 months ago 
SavoryVegetable
commented
4 months ago https://github.com/aashishksahu/SafeSpace#who-is-this-app-for
One does not need to be a government agent to brute force the password using adb shell input
aashishksahu
commented
4 months ago Hi @SavoryVegetable Thanks for your inputs :) I am happy as this is my app's first security enhancement. As mentioned by @atomuspilius my app is not targeted towards people who have active adversaries and if the device is compromised, my app is also compromised just like any other app. The goal of my app is compartmentalization (between veracrypt and qubes os, my app is leaning more towards the idea of qubesos). Nevertheless, to have a password attempt time out is a good suggestion and I can add this in the next update. Requesting you to please give me a few more details. It would be great if you can do the adb shell input scenario and share your findings here in this issue. Thanks again @atomuspilius, @SavoryVegetable :)
SavoryVegetable
commented
4 months ago Hi @SavoryVegetable Thanks for your inputs :) I am happy as this is my app's first security enhancement. As mentioned by @atomuspilius my app is not targeted towards people who have active adversaries and if the device is compromised, my app is also compromised just like any other app. The goal of my app is compartmentalization (between veracrypt and qubes os, my app is leaning more towards the idea of qubesos). Nevertheless, to have a password attempt time out is a good suggestion and I can add this in the next update. Requesting you to please give me a few more details. It would be great if you can do the adb shell input scenario and share your findings here in this issue. Thanks again @atomuspilius, @SavoryVegetable :)
It's possible to brute force the password (how long it will take depends on the password length) by writing a script which uses adb shell input text to rapidly type passwords and adb shell input keyevent 66 to rapidly press enter.
SavoryVegetable
commented
4 months ago Hi @SavoryVegetable Thanks for your inputs :) I am happy as this is my app's first security enhancement. As mentioned by @atomuspilius my app is not targeted towards people who have active adversaries and if the device is compromised, my app is also compromised just like any other app. The goal of my app is compartmentalization (between veracrypt and qubes os, my app is leaning more towards the idea of qubesos). Nevertheless, to have a password attempt time out is a good suggestion and I can add this in the next update. Requesting you to please give me a few more details. It would be great if you can do the adb shell input scenario and share your findings here in this issue. Thanks again @atomuspilius, @SavoryVegetable :)
Here's a script which can brute force a 4 digit password, provided no throttling:
for i in {0000..9999}; do adb shell input text "$i" adb shell input keyevent 66 sleep 0.1 # Adjust the sleep duration if needed done
aashishksahu
commented
4 months ago Hmm.. Quite interesting... Looks like password attempt throttling and alphanumeric pin are next in the release. Thanks for your help :)
As the only way the data stored inside this app can be accessed is through the app, I think some form of protection against brute force, like password attempt throttling, can enhance the security of this app if implemented.