codingchili
commented
5 years ago Looked at the security of some password managers (aaf-easypassword, Puff-Android) on Android and found
- KDF without sufficient hardening - weak hashing and/or too low iteration count.
- KDF that could be bypassed - output only used to verify master password, master password then used directly as key.
- weak encryption algorithms: blowfish
- brute-force attacks on weak master passwords such as pattern unlock.
Would like to look at some networked apps too, to check for TLS and API vulnerabilities.
Mostly been working on web, i suspect there might be some low hanging fruit in mobile security.