Re: Comment on CryptoIntents in openintents

[openi...@googlecode.com]

Comment by edaeschlimann:

I don't see a need for having to store 1 password or master key. I am very
impressed with the work that has done into this app. A job very well done!
Thank you. It is exactly what I have been looking for and it has allot of
potential for other apps. ega

For more information:
http://code.google.com/p/openintents/wiki/CryptoIntents

[openi...@googlecode.com]

Comment by unwe...@gmail.com:

I wouldn't worry about MD5 vs. SHA1 when there's plaintext passwords being
serialized into Intents and sent around the system for anyone to read.

[openi...@googlecode.com]

Comment by peli0101:

The master password is never sent over any intent, and no other application
except OI Safe ever gets to see it.
(Individual passwords for web sites are copied to the copy&paste buffer if
the user wishes so.)

[openi...@googlecode.com]

Comment by unwe...@gmail.com:

I wasn't talking about the master password, but about the passwords
encrypted with the master password.

My point is, if you're looking at the overall security of things, it'll be
easier intercepting ACTION_SET_PASSWORD than trying to exploit a weakness
in MD5 in order to get at them.

I'm assuming here that an attacker's intent (excuse the pun) is to get at
the passwords stored in OI Safe; obtaining the master password would then
only be a means to an end the attacker can bypass completely.

[openi...@googlecode.com]

Comment by peli0101:

That's why we require apps that want to use these intents to have the
necessary OI Safe permissions. The user has to grant these permissions at
installation time. Apps without them can't access the intents.

Of course this does not exclude the possibility that an app which got the
permission by the user is a malicious one... so the final responsibility
lies at the end user.

[openi...@googlecode.com]

Comment by unwe...@gmail.com:

Permissions don't enter the picture. It takes all of five minutes to create
an app that receives ACTION_SET_PASSWORD and looks pretty much like OI Safe
to Joe User. It's got your password. End of story.

Yes, it would be a lot nicer if it could pass the password on to the real
OI Safe in order to fool the user more efficiently. Yes, it would need OI
Safe permissions for that. No, it would not be a problem to create a
legitimate app that wants those permissions, and at the same time
maliciously intercepts ACTION_SET_PASSWORD.

The point isn't that OI Safe is broken. I'm not saying that. What I *am*
saying is that any security concept will be attacked at it's weakest point,
and the weak point with OI Safe is *not* MD5. It's that it's *incredibly*
easy to phish for passwords from Joe User if you send them around in
Intents.

[openi...@googlecode.com]

Comment by jcanas70:

Does OISafe store the data being encrypted in the SD card or on the phone's
built-in memory? If on SD card, anyone know the fully qualified path?
Thanks.

For more information:
http://code.google.com/p/openintents/wiki/CryptoIntents

--
You received this message because you are subscribed to the Google Groups "OpenIntents" group.
To post to this group, send email to openi...@googlegroups.com.
To unsubscribe from this group, send email to openintents...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/openintents?hl=en.

[openi...@googlecode.com]

Comment by peli0101:

It uses built-in memory. You can use menu > export or menu > backup to get
a copy on the SD card.

[openi...@googlecode.com]

Comment by lfarkas:

is there any desktop application which us the same algorithm and file
format as OI? in this case i can use the same apps on my desktop and on my
phone and just have to keep the safe file in sync.
the best would be some kind of java apps which can be run on linux,
windows, mac and android.
thanks.

[openi...@googlecode.com]

Comment by balajite...@gmail.com:

fine,

[openi...@googlecode.com]

Comment by lozaloz...@googlemail.com:

when i downloaded oi i did not get the master password and therefore cant
now get in and its only place i have a really important peice of
information can anyone help please? xx

[openi...@googlecode.com]

Comment by sunnydo...@gmail.com:

please hack this idBrand New 2011 Pirates Facebook Hack

[openi...@googlecode.com]

Comment by umlgu...@gmail.com:

I personally want my passwords safer than SHA1 as well, I want SHA2, or
even higher. Perhaps allowing the user/phone owner pick the encryption
scheme either at app initialization time or with a config setting with a
warning about "slowness" may appease everyone. I cannot afford to have my
passwords hacked/swiped if I lose my phone.

For more information:
https://code.google.com/p/openintents/wiki/CryptoIntents

[openi...@googlecode.com]

Comment by steven.d...@gmail.com:

How do I transfer my OIsafe with passwords to a new phone? Is there any
way other then manually typing in the passwords? Can I copy the file to
the new phone and instal the OIsafe on the new phone?

[openi...@googlecode.com]

Comment by rberry1...@gmail.com:

I transferred my OIsafe app to my new phone, but when I put in my password
to access my files it shows I have nothing saved on my files. I have
important info that I need to access, can you please help me?

[openi...@googlecode.com]

Comment by LynMabe...@gmail.com:

Install OISafe, then copy the oisafe backup file to a location, open oisafe
and restore using the backup file, and use the same Master Password

[openi...@googlecode.com]

Comment by LynMabe...@gmail.com:

I'm still using OISafe on Droid X (2nd gen) running Android 5.0 , I have
yet to find a good replacement application with all the features that
OISafe offers.

[openi...@googlecode.com]

Comment by jyotirmo...@gmail.com:

I hv put really really difficult passwords for my accounts through oisafe.
I used to copy-paste passwords while logging in. Now i hv learned that my
clipboard is not safe! What's the way out? Is it possible to have a
seperate clipboard, and password protect them or something else may be?