Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'd stay away from any KeePass clients with network access. I don't have a recommendation for iOS, but for Android KeePassDX [0] seems like a good option as it has no network permission to begin with.

[0] https://www.keepassdx.com/



Strongbox is a fantastic KeePass client on iOS and macOS. They offer a fully offline version called Strongbox Zero.

https://strongboxsafe.com


How do you attest this without simply trusting the dev or monitoring package data transferred by the app?[1] iOS, differently from Android, doesn’t have a explicit network permission that the user can verify.

All apps have network access by default and there’s nothing you can do about it without jailbreaking.

[1] as many pointed out: open source in iOS is a moot point as there’s no way to verify the binaries.


You are incorrect you can verify network access on iOS. https://support.apple.com/en-us/HT212958


You’re misunderstanding me. On android you can see if the app have network permission. On iOS privacy report you can see if the app accessed the network.

There’s an important distinction. On the first instance the app can’t access the outside world. On the second you will just know that it did.

[Edit]

See the author of keepassium commenting on the same issue about a month ago:

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...


> All apps have network access by default and there’s nothing you can do about it without jailbreaking.

There is another option - buy an iPhone in China:

iOS: Disable WiFi (not just cellular) for specific apps without jailbreaking https://tinyapps.org/blog/202209100700_ios-disable-wifi-per-...


I don't understand how this isn't available everywhere. I would love to block certain apps from ever accessing the internet!


+1 for strongbox.

Have been using it for 3-4 years now. Its integration with the Apple ecosystem is second to none. I do use an online version that syncs with iCloud so I can access it anywhere (but with a Yubikey).


There is also Keepass2Android Offline

https://play.google.com/store/apps/details?id=keepass2androi...


How do you suggest keeping your database in sync between your desktop and mobile device? I use Keepass2Android and I'm 100% happy with it, because it has incredibly good Dropbox sync support. I don't think throwing out every single networked feature just because of one malicious app is a reasonable or proportionate response.

Besides, I'm sure some clever attackers could think long and hard and come up with plenty of covert exfiltration channels without even needing direct network access. For example, adding a "safety redirect" every time you open your web browser, like t.co does.


Can't you store the database locally and then have Dropbox or Google Drive upload it to your drive?

It's still not 100% secure, but you would need both a compromised Keepass app and a compromised Dropbox app.


I would never use Keepass client on the mobile device. I have 0 trust to what developers have published there. If I need to type a password on mobile device, I will do it manually.


Would android require you to accept new permissions if network access would be imemented "sometime"?


For iOS I use KeePassium. A paid app.


To be precise, KeePassium is a freemium app (free tier + some premium features)


Correct me if wrong but you don't need to request network permissions to be able to make outside connections.

Almost all apps make outside connections and it would make no sense to prompt the user for that.


If you don't declare network access in the app manifest, your app cannot make a network connection. If you declare network access, app can make a network call and user confirmation is not required. It is thus very easy to check for apps that are truly offline.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: