Warn user that exported data are (partially) unencrypted

[randomisresistance]

Hi again,

I'm just doing some small review of the Mooltipass applications. One other thing that came to my mind was that application allows the user to export the credential to a file or a cloud storage.

I did this and figured out that the exported .bin file contains some unencrypted information like the name of the entry (the site).

This is done in preload.js the data afterwards look like that they are just encoded. I'm not sure but it looks a bit like the credentials are just encoded and not encrypted. And the site information are in plain text.

I'm not sure what is the case here as I haven't had the time to decode the text strings right now. Maybe someone can enlighten me about the format.

But maybe it is a good idea to inform the user about the fact that this exported file does contain unencrypted data.

Regards

[limpkin]

Hey there! Thanks for looking into the code. As you can imagine, passwords are indeed encrypted. It's actually in our plans to offer to the user to add a password which will be used to encrypt the complete export file. Any help is welcome!

[randomisresistance]

Hey there!

Sorry for the delayed answer, this time I was in vacation. I would really nice to join your work on the MooltiPass applications.

I just have to setup the IDE for that, is there anything special needed? Since the MooltiApp is written in JS it is maybe a good idea to do the encryption with an external program like 7z. The downside of this is that adds some dependencies. I will think about this and see what I can do to fix this.

[limpkin]

Hey there!

No IDE is required. We're really not big fans of dependencies indeed.

Thanks!

[randomisresistance]

Hey,

I guessed I'm also not a big fan of dependencies. But let me think about this maybe I can figure out a way. I try to find some time to think about this issue next week, maybe I can also do some code audit too next week, we will see.

Regards!

[limpkin]

thanks for your time! :)