Keepass2android: Protection against advanced clipboard managers

Created on 2 Oct 2018  路  7Comments  路  Source: PhilippC/keepass2android

On my Android device, the stock clipboard manager holds the last 7 items in a buffer, which can be accessed through the keyboard. When KP2A automatically clears the clipboard after copying a password, it does so by copying * to the clipboard. Unfortunately, it does so only once, so * is added to the bottom of the clipboard stack, and the recent password clipping just rolls up the stack. This is insecure.

It's nice that KP2A warns that clipboard clearing doesn't always work, but here's a better idea:

KP2A should copy * to the clipboard not just once when it wants to clear the clipboard, but 10 (or 100) times. That way, the recent password will roll beyond the buffer of most clipboard managers and be lost. If there is no advanced clipboard manager on the device, then no harm will be done from copying * multiple times, and I assume copying 100 times could happen very quickly. There can even be an advanced setting in KP2A for how many times to copy over the clipboard.

Most helpful comment

While I agree with the request, the entitlement complex you're presenting is pretty absurd. You're free to make a program that does this if you can't wait.

All 7 comments

+1 for this request

Any word from the developer on this? It seems like a big problem that can be fixed very easily.

Still nothing about this, really?

While I agree with the request, the entitlement complex you're presenting is pretty absurd. You're free to make a program that does this if you can't wait.

(I've blocked @remanifest. Hopefully someone else will make a meaningful contribution to this discussion.)

I do not recommend to copy any really sensitive information to the clipboard. While it might not be accessible through the clipboard manager, any app on your phone can store (or transmit) any clipboard contents before we try to remove it from the clipboard.
That said, I see this as a valid feature request - but there are hundreds of other requests as well, that's why I haven't scheduled it for any concrete milestone yet.

On my Android device, the stock clipboard manager holds the last 7 items in a buffer, which can be accessed through the keyboard. When KP2A automatically clears the clipboard after copying a password, it does so by copying * to the clipboard. Unfortunately, it does so only once, so * is added to the bottom of the clipboard stack, and the recent password clipping just rolls up the stack. This is insecure.

It's nice that KP2A warns that clipboard clearing doesn't always work, but here's a better idea:

KP2A should copy * to the clipboard not just once when it wants to clear the clipboard, but 10 (or 100) times. That way, the recent password will roll beyond the buffer of most clipboard managers and be lost. If there is no advanced clipboard manager on the device, then no harm will be done from copying * multiple times, and I assume copying 100 times could happen very quickly. There can even be an advanced setting in KP2A for how many times to copy over the clipboard.

why you use clipboard when there is great built in keyboard in keepass2android?

one of main advantages of keepass2android (except many ones like using the main core keepass for file editing/etc) is that it has a keyboard so you can use it for passwords and... without using clipboard.

and in newer android versions even you can use autofill api of system.

or you can install accessibility plugin.

all these options are far more secure than using clipboard.

Even if keepass2android rewrites the clipboard 1000 times before clearing it, if a malware saved it, it won't clear. and also there is many advanced clipboard managers like clipper and clipstack in play store that if you liked to install them (they are really useful) can save your clipboard data indefinitely.

so a malwares certainly will have this feature. and this only adds a false sense of security in my opinion.

Regards.

Was this page helpful?
0 / 5 - 0 ratings