Password is saved when app loses focus

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Open Keepassdroid, select database
2. Type password in, do not hit OK
3. Remove app from focus but do not explicitly close (home key, sleep phone, 
etc.)

What is the expected output? What do you see instead?
When the app returns to focus, whatever portion of the password was typed is 
saved in the password box. 

This is not an ideal situation, as losing focus should be the same as losing 
the user's attention, after which you cannot be sure they will return to use 
the app. If they do not hit the OK button, the password will be saved at least 
until the app is removed from memory, which poses a security risk if the phone 
is lost (a situation a password safe is meant to mitigate).

What version of the product are you using? On what operating system?
Version: 1.9.5 OS: Android 2.3.5 (Cyanogenmod 7, Droid Incredible)

Please provide any additional information below.

This is not necessarily just a bug report. The password field should be 
explicitly cleared anytime the app loses focus or changes focus, basically 
anytime the password or keyfiles are not being explicitly manipulated. 
Additionally, it might be good to explicitly clear it on SUCCESS as well, as I 
think, but cannot replicate the occurence, that I have backed out of the 
database (using the back button) to the login screen and had my password still 
sitting there. I would just like to avoid the possibility of the password 
sitting for any length of time if it is not being immediately used.

Original issue reported on code.google.com by teamd...@pbarletta.com on 6 Aug 2011 at 8:13

[GoogleCodeExporter]

I was going to file a separate bug report, but I think this may actually be the 
same issue:

When the timeout is reached and Keepassdroid locks the database, if I switch 
back to the app (by long-pressing home and using the app switcher), the master 
password will still be entered in the password box, and I only have to press 
"ok" to unlock the database again. This of course completely defeats the 
purpose of the timeout and massively compromises the security of the database.

This is consistently reproduceable; it happens every time.

Original comment by mrtorr...@gmail.com on 20 Nov 2011 at 11:40

[GoogleCodeExporter]

That sounds like the issue I was having but could not consistently reproduce. 
Both of these issues are still present, currently I ensure that when I am done 
with the database I clear the password field, but that is a poor solution.

Original comment by teamd...@pbarletta.com on 21 Nov 2011 at 4:16

[GoogleCodeExporter]

I've got the same problem and i've investigated it a little bit more: the 
password is not cleared, when the Keepassdroid in background is killed. So, to 
reproduce:
1. log in to database
2. switch to main screen or any other application
3. kill keepassdroid (for example using 'Advanced task killer')
4. run keepassdroid, password will be filled; check 'show password' and voila - 
you can read your password

The point is that android can kill background applications when it is running 
out of memory, so the issue was hard to reproduce - i think you've left app in 
background and very rarely it was killed by the system...

My phone: HTC Wildfire with Cyanogenmod 7. 

Original comment by M.Kosew...@gmail.com on 4 Dec 2011 at 11:27

[GoogleCodeExporter]

I am experiencing similar problems. This should be higher than medium as it 
renders the app useless in terms of protecting account information. 

Versions
1.9.5
cm 7.1.0 selfkang sensation 

Original comment by she...@gmail.com on 12 Dec 2011 at 3:29

[GoogleCodeExporter]

I have the same problem. The password field does not clear once the db is 
unlocked. Even days later when I rerun the app the password field contains the 
password. 

Version 1.9.9
HTC Desire CM 7.1 and now CM 7.2 RC1

Original comment by bweiber...@googlemail.com on 21 Mar 2012 at 8:19

[GoogleCodeExporter]

Also seeing both manifestations of this problem.  Hoping for a fix as this 
seems a glaring security. hole to me - ironic for a security app.

Original comment by maynar...@gmail.com on 9 Sep 2012 at 1:07

[GoogleCodeExporter]

Issue 403 has been merged into this issue.

Original comment by bpel...@gmail.com on 12 Sep 2012 at 3:38

[GoogleCodeExporter]

Issue 382 has been merged into this issue.

Original comment by bpel...@gmail.com on 12 Sep 2012 at 4:56

[GoogleCodeExporter]

This should be fixed in 1.9.17.

Original comment by bpel...@gmail.com on 12 Sep 2012 at 5:04

• Changed state: Fixed

[GoogleCodeExporter]

Issue 321 has been merged into this issue.

Original comment by bpel...@gmail.com on 12 Sep 2012 at 5:07

[GoogleCodeExporter]

Issue 354 has been merged into this issue.

Original comment by bpel...@gmail.com on 12 Sep 2012 at 5:07

[GoogleCodeExporter]

Thanks!

Original comment by bruce.a....@gmail.com on 13 Sep 2012 at 6:58

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Unfortunately, issue with pre-filled master-password after task-killing 
KeePassDroid is still reproducible:(
Samsung Galaxy Ace [Android 2.3.6]
KeePassDroid 1.9.18.1.

Original comment by pratt...@gmail.com on 14 Sep 2012 at 11:22

[GoogleCodeExporter]

Issue 437 has been merged into this issue.

Original comment by bpel...@gmail.com on 2 Feb 2013 at 6:16