Jump to content
Enpass Discussion Forum

Security audit


Gili
 Share

Recommended Posts

Hi all!

Sorry for being quite for a long time. I really appreciate your patience and love for Enpass.

Finally, the audited Enpass 6 is here as promised. https://www.enpass.io/introducing-enpass-6-crafted-with-the-spirit-of-himalayas/

Here you can find the security audit report. Soon we will cover the more platforms.

Cheers!

 

 

 

Link to comment
Share on other sites

6 hours ago, Hemant Kumar said:

Hi all!

Sorry for being quite for a long time. I really appreciate your patience and love for Enpass.

Finally, the audited Enpass 6 is here as promised. https://www.enpass.io/introducing-enpass-6-crafted-with-the-spirit-of-himalayas/

Here you can find the security audit report. Soon we will cover the more platforms.

Cheers!

 

 

 

Did you read your Audit? "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit of the Enpass apps and their API in scope, nor should it be thought of as a compromise it"

"The audience of this report should be aware that a malicious actor, capable of committing extended time and with enough resources may find new attack vectors or vulnerabilities that could allow it to eventually compromise the security of the Enpass apps and their API in scope"

Edited by djohannes
Link to comment
Share on other sites

3 hours ago, djohannes said:

Did you read your Audit? "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit of the Enpass apps and their API in scope, nor should it be thought of as a compromise it"

"The audience of this report should be aware that a malicious actor, capable of committing extended time and with enough resources may find new attack vectors or vulnerabilities that could allow it to eventually compromise the security of the Enpass apps and their API in scope"

true enough, but do mind that when you "only" have about a month and a hacker may go on for YEARS obviously they can potentially find more vulnerabilities and whatnot. and new attack vectors can come all the time but that may not even be the fault of enpass but the underlying OS or whatever as well.

Link to comment
Share on other sites

Hello,

TBH Bitwarden works flawlessly. I have a premium Enpass license since several years ago, So I just read the news about version 6 and I wanted to give it a try again, so I installed the app in my phone and my desktop, (a Mac computer), and tried to import my Bitwarden vault. Bad experience, it just parsed 61 items and I have more than 500 items, of several kind, stored in Bitwarden vault.

I'm reporting the issue.

Edited by Oscar A. Mata T.
Link to comment
Share on other sites

20 hours ago, hwsamuel said:

Folks if you want a fully audited and open source tool with multi-platform support (desktop, phone, browser), why not go with Bitwarden? Downsides: mainly one dev, and uses it's own cloud hosting with Microsoft Azure. Everything has pros and cons.

PS - Am not affiliated with Bitwarden by the way, just a new user there.

Because it took them so long to get the audit (we asked in this thread two year ago), the audit seemed rushed and possibly not in-depth enough, but also because of issues with support, issues during beta, and issues now with their new pricing model, I moved from Enpass to BitWarden.

If you have issues with migration, I suggest you move to enpass 6, export as JSON your vault, and import it from the Bitwarden web interface. If you have ATTACHMENTS, in your enpass vault. Please be aware those don’t get moved. You’ll need to do that manually. It’s easy, as enpass has an ‘with attachments’ search filter. I had only two. Removed them from my vault and re-imported to BitWarden after vault was moved over. 

Sorry enpass. I couldn’t deal with you ignore my support requests, nor all the changes I mentioned above. 

Not affiliated with anyone. Just used enpass a long time. Tired of not getting anything I need from them. 

Link to comment
Share on other sites

7 hours ago, Oscar A. Mata T. said:

Hello,

TBH Bitwarden works flawlessly. I have a premium Enpass license since several years ago, So I just read the news about version 6 and I wanted to give it a try again, so I installed the app in my phone and my desktop, (a Mac computer), and tried to import my Bitwarden vault. Bad experience, it just parsed 61 items and I have more than 500 items, of several kind, stored in Bitwarden vault.

I'm reporting the issue.

If you have issues with migration, I suggest you move to enpass 6, export as JSON your vault, and import it from the Bitwarden web interface. If you have ATTACHMENTS, in your enpass vault. Please be aware those don’t get moved. You’ll need to do that manually. It’s easy, as enpass has an ‘with attachments’ search filter. I had only two. Removed them from my vault and re-imported to BitWarden after vault was moved over. 

Link to comment
Share on other sites

I am a big fan of the enpass, I have the license for android, windows, and IOS, but when you see this audit left me very worried about the security of my data, I would like a more serious audit! The software is great please do not apologize who uses it and believe in your work !!!

Link to comment
Share on other sites

Hi @GoodbyeEnpass and @tgcrypt,

Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it.

Thanks.

 

  • Like 2
Link to comment
Share on other sites

1 hour ago, GoodbyeEnpass said:

I am leaving Enpass due to this poor security audit and new pricing model.

What new pricing model? Did they start using subscriptions or what? 

1 hour ago, Vinod Kumar said:

Please help me understand what is wrong with security audit.

I would guess that especially this part stands out a lot:

On 12/28/2018 at 10:19 PM, djohannes said:

It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit

 

Link to comment
Share on other sites

On 1/4/2019 at 4:34 PM, Vinod Kumar said:

Hi @GoodbyeEnpass and @tgcrypt,

Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it.

Thanks.

 

Hi @Vinod Kumar

I think what @My1 quoted " 

Quote
On 1/4/2019 at 6:16 PM, My1 said:

It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit

 

" would be the most pertinent part, although many people should only have passwords used on a daily basis, many who pay for the license have passwords and sensitive data, server passwords and bank details, that is a very very serious.

Link to comment
Share on other sites

A thorough & robust security audit really should be a prerequisite for any company selling password repository software.

On the face of it Enpass is great software, but if it has security holes than people will worry and start to look elsewhere. The recent report (highlighting recovery of master passwords) is not exactly reassuring, and also seems rather limited in scope to specific platforms.

Quote

The overall technical risk for Enpass based on the Security Assessment and the impact of discovered vulnerabilities is Medium ...

--- During the testing of the Enpass apps, VerSprite found that it was possible to recover the primary Vault's master password from memory for both Windows and Android apps

I will continue to watch this discussion with interest  ...

Edited by mushroom_daddy
  • Like 1
Link to comment
Share on other sites

32 minutes ago, Vinod Kumar said:

Hi @mushroom_daddy,

The vulnerability you quoted had been resolved (remediated). Please see page no. 5 of audit report.

Thanks.

That's good to know. Thank you for the clarification. 

Could I ask whether there are plans to extend the security audit to Mac & iOS versions of Enpass? It would be reassuring have independent audits for all versions of your software.

Similarly, in view of continual advances of hacker tools & capabilities, it would be prudent to periodically repeat third party security audits. In my opinion, regular & robust security audits should be a well-defined part of your business strategy.

Edited by mushroom_daddy
Link to comment
Share on other sites

Hi @mushroom_daddy

23 hours ago, mushroom_daddy said:

Could I ask whether there are plans to extend the security audit to Mac & iOS versions of Enpass? It would be reassuring have independent audits for all versions of your software.

Sure, we do have plans to get the macOS and iOS apps audited as soon as add the important feature requests like Favicons, WiFi sync etc . It's just a matter of time. Please bear with us.

23 hours ago, mushroom_daddy said:

Similarly, in view of continual advances of hacker tools & capabilities, it would be prudent to periodically repeat third party security audits. In my opinion, regular & robust security audits should be a well-defined part of your business strategy.

Agreed! but we can't do it very frequently as it is time consuming and costly process.

Thanks for your understanding!

Link to comment
Share on other sites

  • 4 weeks later...

I've been following Enpass for a while but have never seen a need to comment on the forum since I was waiting for a security audit before purchasing. I work in this area and I want to clarify a few things on here:

First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard. You're unlikely to going to find someone who is going to declare something secure and take ownership of any vulnerabilities that are found. By their nature any audits are going to be limited in time and have disclaimers. A two week audit by two people is quite expensive but is still best effort. Windows was audited for years by a multitude of people before being released, yet they still had a bunch of vulnerabilities. That being said, from my experience a two person two-week audit is probably enough for a smaller project like this if you exclude the open source software that it uses - and given the concerns people have being due to the software being closed source, that's probably fair. There's no point in spending two weeks auditing SQLCipher when people are worried about Enpass itself. 

Now I do have some concerns with respect to the audit. There seems to be very little information about what they tested - if anything - other than trying to extract the master password in a variety of ways. Did they look for potential memory corruption vulnerabilities? Did they test the "password sharing" feature that is new and is an obvious point of attack. Did they test the browser plugins, which are another possible attack vector? They mention looking at restoring databases, that's definitely an area of attack: say you store a less important database in the cloud, could it be used to compromise the application when it opens this database (possibly this vecotr only affects SQLCipher so it may have been out of scope)? Did they consider these attack vectors or were they only looking for master password issues? From their summary and methodology it seems that they would have, but there is too little information on this. 

Another concern that I have with the audit is the following:

Quote

Shortly after our black box assessment of Enpass V 5.6.9, we were provided source code for the Enpass 6 apps

How much time was wasted reverse engineering Enpass v 5.6.9 before the source code was provided for 6? This is less of a concern for Android since Java applications are easily reversible, but they were still looking at older code at the time. How quickly did they get access to the Windows source code? There's a big difference between a one-week source code assessment and a two-week source code assessment. 

Someone mentioned PCI on this forum, that is only done for payment processing (you can tell by the name Payment Card Industry Data Security Standard). As far as I can tell Enpass does not take payments, they only allow purchases via app stores, thus have no need for PCI. In general PCI is a checklist for minimum standards: do you have a firewall, do you encrypt payment card data at rest and in transmission, etc. That checklist is then verified by an auditor, but it's meant to satisfy the payment processors and says nothing about the security of the software that Sinew produces. 

That being said, I want to applaud Enpass for making the full report accessible, very few companies would provide the report to their customers in full and would simply say "we've been audited by X". 

 

 

 

 

  • Like 3
Link to comment
Share on other sites

On 2/5/2019 at 10:15 PM, toor said:

First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard

that is intresting and thanks for that

 

also toor thanks for all the other info in this long post. awesome.

Link to comment
Share on other sites

  • 1 month later...
  • 2 months later...
On 4/11/2019 at 3:12 AM, Anonym Potato said:

Why don't you open source your code? Open source don't mean free, and I don't think that a lot of people would build the software from the source code. Nobody is wasting so much time, to save 12€. Enpass is cheap as hell, and no one, would pirate it.

This. Visible source doesn't mean you give away copyrights.

I'm saying it as a paid user when I had no reason to pay (free version was enough for my personal use).

 

Right now we are considering bitwarden for our company uses instead of Enpass.

Edited by crimson
Link to comment
Share on other sites

  • 1 month later...

My questions is simple and straight forward. I was not able to find a clear answer to this question. 

I know that I am storing my passwords on my own local storage which makes it way safer than cloud based managers. My question is, Can Enpass get my passwords? We are using Enpass platform at the end of the day. Can they build a back door in the application that allows them to get our passwords? 

Dont get me wrong I love Enpass, But I want to make sure that I'm safe. 

Cheers, 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...