rerx

As discussed previously, Enpass on Android still allows to unlock the app by fingerprint after the device (or just the app) have been restarted. It should really require the master password when unlocking for the first time.

This is really important for security.

I just cross checked with the Enpass extension on Firefox 51.0.1 . In this case the issue does not appear.

Then I tried to remove the extension from Chrome and to reinstall it there -- this does not help. The issue still appears on Chrome.

It doesn't help either to use a blank new Chrome profile with nothing but the Enpass extension installed.

Hi, 

thanks for looking into this.

To produce the bug I select any message in the Fastmail web interface, click 'move to', and select some folder from the dropdown menu. After I hit 'enter', an Enpass popup appears asking me whether I would like to update my login credentials to the bogus password 'PIN'.

This is with Enpass 5.4.1, Ubuntu 14.04, and Chrome 56.0.2924.87 .
 

Precisely, it used to work fine. And it is quite annoying now.

If this could be fixed on the Enpass side, I'd really appreciate it.

Using the Fastmail web interface in Chrome with the Enpass extension, a bogus login with password 'PIN' is detected by the extension (and offered to be saved) whenever I move a message to a different folder. 

Hi,

I am a new user of Enpass -- just trying the Linux and Android versions for the first time.

I came to the forums because I noticed two issues on Android that gaetawoo already highlighted above.

Quote

1. SECURITY BUG: Rebooting the phone does not cause Enpass to require the Master Password to unlock the app. I can use a fingerprint. Even after fingerprint is locked out for 5 bad tries and the Master Password is then required, if I reboot the phone, I do NOT need to enter the Master password, i can use my fingerprint. That's a security risk. UPDATE: An EVEN WORSE SECURITY RISK is that if you get the fingerprint wrong 5 times, and it requires the Master Password, you can simply go to Android settings --> Apps --> Enpass and FORCE CLOSE the app, start it again and it will accept your fingerprint again. THAT'S HUGELY WRONG! This is EXACTLY why the first load of the app MUST ALWAYS require the Master Password which it DOES NOT do right now. 

This definitely must be fixed ASAP! The fingerprint is a convenience feature, but it is much less secure than a secret like the master password. Fingerprints are quite easy to forge. If an attacker gets hold of my phone and if they are careful, they can already find a template for a fake fingerprint on the glassy surfaces of the phone. That's why Enpass should really reset to requiring the master password to be entered instead of a fingerprint after some time (like 30 minutes) has passed or after a reboot. As it stands now, one can only discourage all users from using Enpass with the fingerprint feature.

Quote

2. SECURITY BUG: When entering Master Password on Android for the first time after installing the app (in order to sync the database), the typed characters show up on the keyboard prediction bar, which means that text entry field is NOT coded as a password field (which would not show the characters in the keyboard prediction box). It's just an obfuscated normal text. Some keyboards automatically saved typed words or entries. Or someone may be peeking and see the entire password typed out in the keyboard box even if it's obscured in the field.

I was really surprised by this behavior. The Swype keyboard just shows character after character in clear text in its suggestion bar, while entering the master password! This usually does not happen with password entry fields. It wasn't this bad with the stock Sony Xperia keyboard on my phone.

Please fix these security problems! Apart from these issues Enpass really looks to be the nicest cross platform solution I have seen so far.