Jump to content
Enpass Discussion Forum

Security audit


Gili

Recommended Posts

Hi @Magnus_Carlsen,

Thank you for reaching out to us. 

The correct or rather the more accurate question would be, does Enpass intend to create such a backdoor to steal customer passwords in the future. The answer would be a straightforward no. As a business, Enpass has larger goals that would benefit from securing customer data ( since we are a security company), and not from stealing it. We have complete control over the queries originated from Enpass to servers and what it entails. 
Furthermore, we have abundant users who happen to be experts in security domain who are more than capable of identifying any such misadventure just by looking at the URL connections created by Enpass and what it contains. 
Lastly, we get regular 3rd party audits, whose reports are available on our website. Please check out the link here

Thanks!

  • Thanks 2
Link to comment
Share on other sites

Thank you very much for your quick reply Anshu, 

Although I want to believe what you are saying but I cannot help to ask these questions.

  1. Why aren't you making Enpass open source like Bitwarden. I would like to see the coding of this software to feel more confident about this. 
  2. Security Audit is convincing but it has been done on 18/11/18, That is 9 months ago. I'm assuming you will be doing another security audit in 3 months. 

Anshu, Please don't get me wrong - I want Enpass to be one of the biggest password managers while killing those ridiculously expensive subscription-based password managers. I believe Enpass can be that company but first and foremost, you have to ensure there are no question marks in people's minds regarding security. 

 

 

Edited by Magnus_Carlsen
Link to comment
Share on other sites

Hi @Magnus_Carlsen

Thanks a lot for liking Enpass and sharing your thoughts with us. I do understand your concern about the security of your data. You can be assured that here at Enpass, we are always on our toes making sure that Enpass stays secure and trustworthy for our users. 
It as only for the peace of mind of everyone that we switched to use SQLCipher (an open-source engine for cryptography) a while back. I also understand that by only using an open-source technology in software, one can't vouch for overall security of software. It's more about the implementation and interaction with and around the SQLCipher. To check how prudent Enpass is, in dealing with your data saved in SQLCipher, we got the first audit done for version 6. I do agree with you that it's been 9 months since then and Enpass has been updated a couple of times after that, and as a user you would like to see audits happen more frequently. 

Even though we at Enpass, share the same desire of frequent audits to gain credence with our user base, its recurring cost is just not viable at current stage. However, we assure you that our future plans aim to cover these drawbacks and deliver audits at a more frequent pace.  

On 7/22/2019 at 8:30 AM, Magnus_Carlsen said:

Why aren't you making Enpass open source like Bitwarden. I would like to see the coding of this software to feel more confident about this.

I take your point that if Enpass would have been open source, you would have checked the code by yourself for your satisfaction from security perspective and we would not need to pay for audits as well. But in reality, the possibility of your data at risk would stay the same if you install the binaries downloaded from our website and app store accounts. Furthermore majority of Enpass users would not have time to compile the source for all platforms, sign it and then use. At the end of the day, it all comes down to the intentions of the software provider and whether they are actually using the same source code in software as published. I am not saying that companies following the open source practice are not trustworthy but just want to communicate that we are working with benign intentions and would favor getting the audits done more frequently that going for open source. 

I hope that helps in answering your queries.

Link to comment
Share on other sites

Good respone @Hemant Kumar, but I think another thing is the sellingpoint of Enpass.

While some other password manager have their sourcecode opened, they offer subscriptions, onlinestorage and/or sync of the vaults.

Enpass moto is "No subscription" and "...nothing is stored on our servers".

What enpass has is a good piece of software especially considering the cross-plattform UXP with clients for a broad range of operating systems.

While it still lacks autotype, it's still unbeatable at being everywhere; from Linux desktop all the way to my wrist.

Opening up the code completely would lead to numeruos forks on Github in no time, and the golden egg wouldn't..well there would be more eggs..

And, sure the third fork could have a oneliner backdoor implemented, but that applies to all software on github.

IMHO it's fully understandable if Enpass having 25 employees with paychecks working hard on numeruos platforms wants to keep an ace in their sleeve, it's just happens to be one of the _worst_ software categories to keep behind closed bars nowadays :-)

While I was one of those asking for an audit, which you did (kudos again), perhaps you could still conscider opening parts up in a distant future.

For instance, in version 6, core and UI is written separately, perhaps you could open up the core code, leaving GUI propriertary?

Or, open up core+UI but leverage some extra parts only through licensed stores which you're already doing (Pro).

E.g Enpass could be available FOSS on Github, but the cloudsync would only be available on your site, (still free for desktops)

 

 

 

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

3 years have passed, I reread all the posts on this topic.
Tell me, is it safe to use Enpass? Are there any spyware programs installed in the applications? How good is encryption in Enpass? Are all the issues found in Lastpass fixed every year?

Fixed this problem?

(Remediated) Cleartext Storage of Sensitive Information in Memory(Windows)(CWE-316) –Medium

(Partially Remediated) Cleartext Storage of Sensitive Information in Memory(Android)(CWE-316) –Medium

Edited by modelator
Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

I've been using Enpass for a while now and I really like it. I bought premium for both Windows and Android. However, I'm kind of concerned about the security. I know there was a third-party audit, but in the meantime there could have been new vulnerabilities that we don't know about. Open-sourcing Enpass would make it much more secure. Besides, contributions from the community could improve the app even further.

And there's no need to worry about income, there will still be plenty of people who will pay for the premium version because it's much easier than compiling the app from source for every update. And the people who would rather compile from source than pay for it probably weren't going to be paying for the premium version either way (and just pirate it instead or something).

I know that this is not an easy decision to make, but I would really appreciate it if you guys would seriously consider open-sourcing Enpass. I think it would be better for everyone. Thank you. 

  • Like 2
Link to comment
Share on other sites

Hey @Fabian1,

We understand your concern regarding the security audit and appreciate your keenness towards Enpass.
Over the last few months, we have been involved in charting out plans for the transition into a new business model. The security audit was postponed as the new subscription model required distinct app functionality, and a security audit earlier would stand useless for the new app. 
Once the new app version is released, we'll zero-in on the pending security audit.

Thanks.

Link to comment
Share on other sites

Why not simply open-source (under a suitably restrictive license regarding commercial reuse) the actual cryptography algorithms, libraries and related code used in the application? That allows competent people to review the cryptography and subject it to whatever testing is necessary, while preserving the intellectual and commercial property inherent in a for-profit company. Granted security issues could well be elsewhere in the application code, but I think it's going a bit far to think that just open-sourcing the whole application is going to attract the kind of thorough external audit that actually needs to be done at regular intervals.

In fact, regular external audits of the whole application really *are* necessary, in addition to disclosures about the cryptography used. It would be great if Enpass is willing to invest that kind of money and publish the results!

UPDATE: I overlooked the other thread in this forum section about planned external security audits. Let's hope Enpass makes those a regular milepost in their plans!

Edited by Insert Real Name
More reading...
Link to comment
Share on other sites

I also support the idea of OpenSourcing the code (security, confidence, reliability,...)

Enpass is providing a valuable support, new features and bug correction that require regular updates.

As mentioned above by @Sam van der Kris, I'm pretty sure business model will continue, even in Opensource mode. People are ready to pay for a service (package, support,...), even if source code is available. Of course, not at any price ! But as long as this price is reasonable, OpenSource model will allow that.

Thanks again for this excellent product !

 

  • Like 1
Link to comment
Share on other sites

  • 3 months later...

I have the impression that the Enpass team is sleeping. Almost nothing happens here. No bug fixes, no promised changes take place, no updates and no real improvements for a long time. The developers will only talk and that the fee will be collected every month...

Some examples:

Where are the common templates?

Why I can't still create templates from entries?

Why hasn't the bug with the ghost sections that cannot be deleted been fixed for more than 6 months?

Why  Enpass is working with a PIN after restarting my smartphone? 1Password requires the master password for security reasons. The Enpass team promised to change that months ago. 

Where is the option to use fingerprint and PIN at the same time?

When will there finally be a new independent audit? This has been promised for more than a year!

If you are also dissatisfied, please answer this complaint with "+1".

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

@Fabian1,

We understand that there are requests pending since long. However, we're working to improve the app with each version. With version 6.4, we've catered to the long-awaited user's request for OneDrive sync for Business.
We've forwarded the list of feature requests to our dev team for further thoughts and consideration.

Thanks.

Link to comment
Share on other sites

  • semi_mod locked this topic
  • 2 months later...
  • 1 month later...

I've been following this thread for a good while. I'm responsible for recommending security tools for a large professional community in the UK.

I'm not currently able to recommend this product however passionate the developers might be.

In this thread there seems to be some conflation around security practices of:


1. the business itself with respect to penetration testing, security and integrity of the code (to prevent malicious code being added to source), process security (to defend against social engineering of the developers etc) and so on. 

2. the code base and architecture

It is not at all clear that good security practices are followed, that the staff are all well versed in any recognised international security standard, that they have a common code base, follow security by design principles, etc.

The fact that adding features, changing ui, etc can undermine the work of an audit is also worrying. Of course code changes can introduce new attack vectors and additional security bugs but there is no clear sense of the layers and modularity to the code base that would limit the risks.

I'm also not able to confirm that the programme itself supports and the developers recommend the use of strong two factor authentication particularly with physical based token devices like YubiKey, to access the data the programme is intended to protect.

I had hoped to be able to recommend this to our thousands of members and offer some small discount purchase incentive. We'd have recommended a subscription model to ensure ongoing security updates, maintenance and enhancements.

Unfortunately, I do not feel able to progress this further.

I wish the business and the development team all the best and hope you are able to mature the product and meet the modern security challenges in due course.

 

Link to comment
Share on other sites

  • 2 weeks later...

Hi @Grunt Futuk,

Thanks for your feedback.

We agree with you that a security-audit plays an important role for a password manager application, and we have planned one very soon down the line with the release of some exciting features.

To protect the integrity and sanctity of source code, its access is restricted and controlled by Gitlab. Not everyone can push any code in the production branch directly. Every merge request, comprising changes is closely reviewed to keep a check on bad practices and malicious activities. The critical security module is additionally reviewed by the senior team and CTO itself for security.

From the architecture ground, let me assure you that codebase is fully modularized. GUI specific code doesn't perform any cryptographic operations and acts as a client of our core-module which performs all the security-related operations and consists of various parts i.e. database, cryptography-module, network, etc. Our cryptography module is based on open-source SQlCipher and has not changed a bit from the last audit, even after the addition of the subscription model. The core-module is written in c++ and is shared by all platforms.


The request to add the second factor in authentication is something that is not required for Enpass because of its offline nature. Since the data is not saved on our servers, there is no requirement of the second factor for its release. However, the users who store their data on their cloud accounts (iCloud, Google Drive, OneDrive, Dropbox, Box and WebDAV), usually enable 2FA on their cloud-accounts, protecting them from unauthorized downloading of Enpass data on other, unauthorized devices. Also, the users who want to add an additional layer with the master password can use a KeyFile which is required for unlocking Enpass.


We understand your concerns and always take them very seriously. Feedback of our beloved users is what keeps us motivated to make Enpass better every day.

Thanks!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...