[grouchypumpkin]

I worry a lot about password managers on mobile. Such as:

* if an app has a single developer (keepassium? strongbox?), how much money would it take them to add a back door? 1M USD? 10M USD? Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?

* if an app has a small number of engineers with commit access (bitwarden? 1paasword?) could any one of them be compromised by money or threats?

* Would password managers from Google/apple/microsoft fare better because they already face these risks and have controls? Or maybe not?

[wvh]

Does that not apply to anything in life? How difficult is it to get code into any open-source software package or distribution really? I work in high-security environments, and I'm always wondering how you can really guarantee that any Debian, Ubuntu or Arch developer is honest and not compromised themselves, any software package installed is 100% clean, and any software library module and container image is fully checked. And that's not getting into tin foil hat assumptions about a shady government agency having access to the major app stores, Github, common distributions or email hosters.

There simply is no way anymore to check the several million lines of code even a minimal setup requires somewhere in the stack. Even an in-depth code review of a medium sized web application – with deps – has already become a gargantuan task most companies simply can't afford.

[prmoustache]

> Or maybe not?

This.

It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.

But adding backdoors and vuln, yes totally possible on random products that person would be affected to. There is review fatigue the same way there is fatigue in a lot of processes.

[PinguTS]

> It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.

There are lots of examples at almost all the fortune 500. Because they do not sneak in as just some random employee.

Cisco is very well known for backdoors in their equipment.

[azurezyq]

Adding a backdoor is not the difficult part, leaving no trace is. People don't know who you are on github, but it's easy for top name companies to track who created the backdoor in great detail. Actually the power of tracing real person is one of the the best defenses.

[hggigg]

I would tend to trust Apple more as they define attack vectors and mitigations in their platform security guide. Also they have a holistic approach to this from hardware through to software, not just an app tacked crudely onto whatever APIs were lying around.

I would NOT trust Microsoft though. I've had enough problems with Authenticator and so have other users in our org that I refuse to put data near it. Not concerned so much about other people getting access to it but me losing my data.

[KeePassium]

> Let’s say they are exceptionally honest, and won’t take money. How about threats to their lives or families?

The more I think about it, the better I understand TrueCrypt's sudden demise.

[blop]

yes, it's my biggest worry too.

At least with keepassDX on android there is no internet access permission needed by default, but if a compromised update suddenly required it I don't know if Android would prompt about it since all apps have internet access granted without prompting :(

I also wish it was possible to block automatic updates of specific apps on the play store... So at least we could be in control over updating critical apps such as these without having to micromanage updates for all apps.

[blahlabs]

On GrapheneOS there is a prompt when installing an app that asks if you would like to grant network access. I am not sure if that pop up displays if network access is added later in an app update though.

[nazarewk]

I'm pretty sure I got prompted once or twice before updating to app with new permissions added.

[LeoPanthera]

> add a back door?

What's your threat model here? Some kind of mass hacking attempt? It would be easier to attack the service providers, rather than steal legitimate logins.

A targeted attack on a specific person? It would be easier to, as the famous XKCD suggests, drug and/or hit them with a wrench until they voluntarily hand over whatever information you want.

It's difficult to conceive of a situation where hacking password managers is the path of least resistance.

[Etheryte]

The idea is to sell the dump, this is the case for nearly every dataset you see reported on Have I Been Pwned. I'm not really sure how there is even any question about oh why would anyone do this?

[grouchypumpkin]

Isn’t it the same threat model as Lastpass breach? Login credentials seem to be worth money, and crypto keys even more.

[pantulis]

The comment was referring to Keepassium and Strongbox, which do not store credentials on their servers so it's not exactly the same. While conceivably a compromised Keepass wrapper could decrypt and send the dump of each and every file it opens, I doubt it would pass unnoticed.

[jasonm23]

I'm really confused. How do you think that would work with an opensource password manager like pass / password-store.org

- The data is stored in Git at a location of your choosing and security level

- The data encryption is provided by GnuPG using your personal key

This is why I use it, there's no potential for anyone to add a back door, except me.

BitWarden, LastPass, etc etc... you have a point, and I would not trust these companies one iota.

Apple, Google etc...uhm... not in a million years.

[WD-42]

pass clients can totally be backdoored. They decrypt the secret to plain text and add it to your clipboard or whatever... could easily shuttle it off somewhere else at that point.

[jasonm23]

You build it from source if you have concerns, so no, it can't "totally be backdoored".