search

twofas / 2fas-android

Source code for 2FAS Android app
GNU General Public License v3.0
915 stars 67 forks source link

Bad type of password field in export backup function #92

Open mucharafal opened 10 months ago

mucharafal commented 10 months ago

Hi,

Just when I was typing password, surprisingly it appeared and was displayed in dictionary. It doesn't happen when I type passwords in other application - seems that something is misconfigured.

Config: 2FAS Auth: 5.1.0 Android 13 (Xperia 10 III - 62.2.A.0.533) Gboard 13.5.04.566637127

Anyway, thank you for the great app!

Best, Rafal

updogliu commented 8 months ago

Have a same problem. The App should be bring up a keyboard for typing password.

elliotwutingfeng commented 7 months ago

Keyboards like Microsoft SwiftKey and Google Keyboard have an incognito mode. It is common for apps (even outside of authenticators) to automatically switch to the incognito mode for password entry, to prevent saving of passwords to dictionaries used for autocorrect.

I would strongly recommend that 2FAS implements this on both iOS and Android.

Andrew15-5 commented 6 months ago

Was about to say the same thing. I use Gboard and was surprised that autocorrect was still on (therefore saving my password) in two situations: when making a password for the exported backup file and when entering the password to import the exported file.

Andrew15-5 commented 6 months ago

I'm no expert at all the Android stuff (especially because things change very quickly), but my guess is that there is this line:

https://github.com/twofas/2fas-android/blob/59e48799bbfedeaebad05b0fdadeb79338ad1c8a/core/designsystem/src/main/java/com/twofasapp/designsystem/common/TwOutlinedTextField.kt#L61

And this function is (indirectly) used when creating those password textedit boxes, and it looks like the default options are used throughout the entire function call stack. If my hunch is correct, then changing a "single" line of code should fix it. Specifically, the function needs to know that it is used for the password and not a plain text. But the strange thing is that it is hidden by the dots, so something isn't clear here. Maybe those are non-native dots, idk.

Here is (one of) the starting point(s), btw:

https://github.com/twofas/2fas-android/blob/59e48799bbfedeaebad05b0fdadeb79338ad1c8a/feature/backup/src/main/java/com/twofasapp/feature/backup/ui/export/BackupExportScreen.kt#L201

komidawi commented 1 month ago

For me, it's a security issue, and fact that this is still not fixed after half a year, is at least worrying..