Open gustavomondron opened 7 years ago
daMihe
commented
7 years ago On the one side, i think this is a good idea. On the other side, please don't put to much effort for hiding the input (like in the chrome-plugin). Some websites (especially more app-like ones) are trying to read the password before actually sending. This could lead to trying sending the master password, which obviously what you don't want.
Copy'pasting is maybe not as secure, but it's rock solid.
gustavomondron
commented
7 years ago You're right, there are some bugs related to autofill in the Chrome extension that need to be addressed :-)
To be honest, I haven't still found out the best way to provide the autofill functionality in Android. However, unlike Chrome extension, I agree with you on that in the mobile device we should avoid typing the master password in the third party app or browser at any cost.
Copypasting should always be a supported option, but I think it's really worth it supporting an additional mechanism.
hapm
commented
6 years ago There is a new api since api level 26, that is exactly for that purpose. Not sure how you could type the masterpassword before filling the fields, but it looks promissing: https://developer.android.com/guide/topics/text/autofill
Using the clipboard to fill a password generated using Twik in a website or application is not considered secure as other applications can access the clipboard.
Other approaches are providing a custom keyboard, such as Keepass2Android, or an accessibility service that detects and fills passwords fields in websites and applications. The latest is considered more user-friendly as it avoids the hassle of manually switching keyboards for typing the password.