Security audit

[Oscar A. Mata T. 0]

Hello,

TBH Bitwarden works flawlessly. I have a premium Enpass license since several years ago, So I just read the news about version 6 and I wanted to give it a try again, so I installed the app in my phone and my desktop, (a Mac computer), and tried to import my Bitwarden vault. Bad experience, it just parsed 61 items and I have more than 500 items, of several kind, stored in Bitwarden vault.

I'm reporting the issue.

Edited December 31, 2018 by Oscar A. Mata T.

[Brenku 2]

20 hours ago, hwsamuel said:

Folks if you want a fully audited and open source tool with multi-platform support (desktop, phone, browser), why not go with Bitwarden? Downsides: mainly one dev, and uses it's own cloud hosting with Microsoft Azure. Everything has pros and cons.

PS - Am not affiliated with Bitwarden by the way, just a new user there.

Because it took them so long to get the audit (we asked in this thread two year ago), the audit seemed rushed and possibly not in-depth enough, but also because of issues with support, issues during beta, and issues now with their new pricing model, I moved from Enpass to BitWarden.

If you have issues with migration, I suggest you move to enpass 6, export as JSON your vault, and import it from the Bitwarden web interface. If you have ATTACHMENTS, in your enpass vault. Please be aware those don’t get moved. You’ll need to do that manually. It’s easy, as enpass has an ‘with attachments’ search filter. I had only two. Removed them from my vault and re-imported to BitWarden after vault was moved over. 

Sorry enpass. I couldn’t deal with you ignore my support requests, nor all the changes I mentioned above. 

Not affiliated with anyone. Just used enpass a long time. Tired of not getting anything I need from them. 

[Brenku 2]

7 hours ago, Oscar A. Mata T. said:

Hello,

TBH Bitwarden works flawlessly. I have a premium Enpass license since several years ago, So I just read the news about version 6 and I wanted to give it a try again, so I installed the app in my phone and my desktop, (a Mac computer), and tried to import my Bitwarden vault. Bad experience, it just parsed 61 items and I have more than 500 items, of several kind, stored in Bitwarden vault.

I'm reporting the issue.

If you have issues with migration, I suggest you move to enpass 6, export as JSON your vault, and import it from the Bitwarden web interface. If you have ATTACHMENTS, in your enpass vault. Please be aware those don’t get moved. You’ll need to do that manually. It’s easy, as enpass has an ‘with attachments’ search filter. I had only two. Removed them from my vault and re-imported to BitWarden after vault was moved over. 

[tgcrypt 0]

I am a big fan of the enpass, I have the license for android, windows, and IOS, but when you see this audit left me very worried about the security of my data, I would like a more serious audit! The software is great please do not apologize who uses it and believe in your work !!!

[GoodbyeEnpass 0]

I am leaving Enpass due to this poor security audit and new pricing model. I honestly do not believe that my data is secure with Enpass due to this pathetic audit. They are obviously hiding something.

[Vinod Kumar 99]

Hi @GoodbyeEnpass and @tgcrypt,

Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it.

Thanks.

 

[My1 8]

1 hour ago, GoodbyeEnpass said:

I am leaving Enpass due to this poor security audit and new pricing model.

What new pricing model? Did they start using subscriptions or what? 

1 hour ago, Vinod Kumar said:

Please help me understand what is wrong with security audit.

I would guess that especially this part stands out a lot:

On 12/28/2018 at 10:19 PM, djohannes said:

It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit

 

[tgcrypt 0]

On 1/4/2019 at 4:34 PM, Vinod Kumar said:

Hi @GoodbyeEnpass and @tgcrypt,

Please help me understand what is wrong with security audit. Why you think it is not complete. We gave full source code access to audit company. Enpass is a offline password manager, so risks are always lower by nature and attack vectors are always local. One can't execute remote attacks on it.

Thanks.

 

Hi @Vinod Kumar

I think what @My1 quoted " 

Quote

On 1/4/2019 at 6:16 PM, My1 said:

It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit

 

" would be the most pertinent part, although many people should only have passwords used on a daily basis, many who pay for the license have passwords and sensitive data, server passwords and bank details, that is a very very serious.

[mushroom_daddy 1]

A thorough & robust security audit really should be a prerequisite for any company selling password repository software.

On the face of it Enpass is great software, but if it has security holes than people will worry and start to look elsewhere. The recent report (highlighting recovery of master passwords) is not exactly reassuring, and also seems rather limited in scope to specific platforms.

Quote

The overall technical risk for Enpass based on the Security Assessment and the impact of discovered vulnerabilities is Medium ...

--- During the testing of the Enpass apps, VerSprite found that it was possible to recover the primary Vault's master password from memory for both Windows and Android apps

I will continue to watch this discussion with interest  ...

Edited January 10 by mushroom_daddy

[kreddad 0]

Still any audit news, I feel this project it not safe 

[Vinod Kumar 99]

Hi @mushroom_daddy,

The vulnerability you quoted had been resolved (remediated). Please see page no. 5 of audit report.

Thanks.

[mushroom_daddy 1]

32 minutes ago, Vinod Kumar said:

Hi @mushroom_daddy,

The vulnerability you quoted had been resolved (remediated). Please see page no. 5 of audit report.

Thanks.

That's good to know. Thank you for the clarification. 

Could I ask whether there are plans to extend the security audit to Mac & iOS versions of Enpass? It would be reassuring have independent audits for all versions of your software.

Similarly, in view of continual advances of hacker tools & capabilities, it would be prudent to periodically repeat third party security audits. In my opinion, regular & robust security audits should be a well-defined part of your business strategy.

Edited January 10 by mushroom_daddy

[Hemant Kumar 57]

Hi @mushroom_daddy

23 hours ago, mushroom_daddy said:

Could I ask whether there are plans to extend the security audit to Mac & iOS versions of Enpass? It would be reassuring have independent audits for all versions of your software.

Sure, we do have plans to get the macOS and iOS apps audited as soon as add the important feature requests like Favicons, WiFi sync etc . It's just a matter of time. Please bear with us.

23 hours ago, mushroom_daddy said:

Similarly, in view of continual advances of hacker tools & capabilities, it would be prudent to periodically repeat third party security audits. In my opinion, regular & robust security audits should be a well-defined part of your business strategy.

Agreed! but we can't do it very frequently as it is time consuming and costly process.

Thanks for your understanding!

[zyghom 27]

most of the features you are working now are cosmetic changes (I believe) - not new functionality related to the security

so audit could be done on major releases 

yes, it is costly

but yes, it buys the Customers

[toor 3]

I've been following Enpass for a while but have never seen a need to comment on the forum since I was waiting for a security audit before purchasing. I work in this area and I want to clarify a few things on here:

First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard. You're unlikely to going to find someone who is going to declare something secure and take ownership of any vulnerabilities that are found. By their nature any audits are going to be limited in time and have disclaimers. A two week audit by two people is quite expensive but is still best effort. Windows was audited for years by a multitude of people before being released, yet they still had a bunch of vulnerabilities. That being said, from my experience a two person two-week audit is probably enough for a smaller project like this if you exclude the open source software that it uses - and given the concerns people have being due to the software being closed source, that's probably fair. There's no point in spending two weeks auditing SQLCipher when people are worried about Enpass itself. 

Now I do have some concerns with respect to the audit. There seems to be very little information about what they tested - if anything - other than trying to extract the master password in a variety of ways. Did they look for potential memory corruption vulnerabilities? Did they test the "password sharing" feature that is new and is an obvious point of attack. Did they test the browser plugins, which are another possible attack vector? They mention looking at restoring databases, that's definitely an area of attack: say you store a less important database in the cloud, could it be used to compromise the application when it opens this database (possibly this vecotr only affects SQLCipher so it may have been out of scope)? Did they consider these attack vectors or were they only looking for master password issues? From their summary and methodology it seems that they would have, but there is too little information on this. 

Another concern that I have with the audit is the following:

Quote

Shortly after our black box assessment of Enpass V 5.6.9, we were provided source code for the Enpass 6 apps

How much time was wasted reverse engineering Enpass v 5.6.9 before the source code was provided for 6? This is less of a concern for Android since Java applications are easily reversible, but they were still looking at older code at the time. How quickly did they get access to the Windows source code? There's a big difference between a one-week source code assessment and a two-week source code assessment. 

Someone mentioned PCI on this forum, that is only done for payment processing (you can tell by the name Payment Card Industry Data Security Standard). As far as I can tell Enpass does not take payments, they only allow purchases via app stores, thus have no need for PCI. In general PCI is a checklist for minimum standards: do you have a firewall, do you encrypt payment card data at rest and in transmission, etc. That checklist is then verified by an auditor, but it's meant to satisfy the payment processors and says nothing about the security of the software that Sinew produces. 

That being said, I want to applaud Enpass for making the full report accessible, very few companies would provide the report to their customers in full and would simply say "we've been audited by X". 

 

 

 

 

[My1 8]

On 2/5/2019 at 10:15 PM, toor said:

First of all, the disclaimer "It is important to note that because of the time constrains naturally involved during a Penetration Test exercise this project should not be considered a full security audit", is standard

that is intresting and thanks for that

 

also toor thanks for all the other info in this long post. awesome.