search

mssun / passforios

Pass for iOS - an iOS client compatible with Pass command line application.
https://mssun.github.io/passforios
MIT License
1.51k stars 101 forks source link

Integration with spotlight [feature suggestion] #156

Open frihamn opened 6 years ago

frihamn commented 6 years ago

Would be nice to be able to search the password store from spotlight through spotlight api.

mssun commented 6 years ago

Hi, thanks for the suggestion. I checked other password managers like LastPass. They don't have this feature. I guess the password names of LastPass are protected, unlike "password store", pass does not encrypt file name and directory name (could be name of password). Therefore, I think it's possible for us to implement this feature. But I suggest to disable this function by default (if we have this feature).

frihamn commented 6 years ago

I suspected that it was handled in the same way as password store, i.e. unencrypted directories. Thanks for the confirmation. The unencrypted directory structure does indeed make it particularly suitable for spotlight integration. Users are also presumably familiar with it which I think makes it less likely that some sensitive information would inadvertently end up in spotlight search (since that would also mean that it is stored in plain text on the desktop). Disable by default is probably sensible nonetheless.

1password has it as an option but it's fairly basic and makes it confusing if there's more than one password for a site (I suppose they have to be more careful with what they include given that it's not how the database is made to be accessed).

One aspect that I suspect is easily implemented in passforios given the unencrypted directory structure and which would make it a lot more powerful would be to include the full path as info in the spotlight results as this would allow for identifying multiple instances for same website based on user's file organisation.

I'm not familiar with iOS development but was looking into trying to make some simple script for the desktop and came across the SDK for spotlight.

mssun commented 6 years ago

Sure. Other than potential privacy concern, I think it doesn't require many new logic for this feature. I may work on it if I have time, but I am also looking forward to PRs. :)

frihamn commented 6 years ago

Indeed, privacy may be an issue depending on how phone is set up. With a passcode for activating phone it's presumably not less secure than accessing through app except that it opens for temporary users (e.g. if someone loans the phone) to search your passwords. It should still be necessary to click through from spotlight to the passforios app to access the actual password though so not necessarily a security issue.

As I see it, it comes down to how you set up the phone and whether you hand it over unlocked to untrusted people for longer periods. Again though, disable by default is probably sensible to allow users to evaluate security risks.