Jump to content
Enpass Discussion Forum

Account Security


ericchaffey
 Share

Recommended Posts

Hi @ericchaffey,

Thanks for writing to us with your concern and thanks to all the security researchers who spent their time in finding the flaws.

Out of all the vulnerabilities mentioned by researchers only the following two are slightly affecting the security while using Enpass and we will fix them in next update.

  • HTTP URL by default.
    In any item's URL field, if the user hasn't mentioned the protocol, then clicking on the URL from details page will open the link using 'http' protocol. Please add https:// prefix to your urls explicitly until a fix is available.
  • Subdomain password leakage.
    To be on safer side, we do autofill in a website only after you select a item manually and we do check domain name of the url to be matched against item url. But this still affects Enpass on Android while autofillig on the websites where a subdomain can be obtained publicly i.e. wordpress.com. To avoid this situation in Android, we will add a setting as Match URL hostname like in our desktop versions. Till than we advice you to be extra cautious while autofilling in such sites.

None of the other bug affects Enpass. But I would like to exclusively mention that Enpass is also not affected by some of the nasty bugs found by them.

  • Insecure credential storage in app's private folder.
    Your data is 100% encrypted with Enpass and neither your master password nor derived password is stored anywhere in plaintext or encrypted using a hardcoded key. In case you enable fingerprint to unlock your database your master password is stored securely by Android OS itself. Read more about how we store it in Android. 
  • Read Private Data From App folder.
    We do not allow file:/// urls to be opened in our built-in browser, so there is no question a attacker can get hold of any file from private data folder.

Once again, I thank you for writing to us with your doubts and I hope this helps.

Cheers!

  • Like 1
Link to comment
Share on other sites

You guys are awesome and thank you very much for your honesty and willingness to fix issues so quickly. Many developers hide, lie and make excuses of why flaws should be considered no big deal. I look forward to all updates and thank you again for an amazing product!

  • Like 1
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...