this post was submitted on 18 Jan 2025
26 points (100.0% liked)

Privacy

32796 readers
1210 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
26
Which Keepass Android app to use? (KeepassDX vs Keepass2Android?) (lemmy.dbzer0.com)
submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/[email protected]
14 comments fedilink hide all child comments
 

Am I just overthinking this?

I like Keepass2Android because of it's "QuickUnlock" feature, but it looks very old, is mainly distributed via Google Play and not on the official Fdroid repo. (Also, doesn't google now have the signing keys of all apps now? Kinda sus if Google could just sign updates and bypass the developers)

KeepassDX seems more secure, since the Fdroid and Google Play versions are separate, using (I assume) separate signing keys, so Google cant sign an update for the Fdroid version. Looks more "Modern" but it lacks the "Quick Unlock" feature, so biometrics is the only convient way to quickly unlock it, I prefer something like "Quick Unlock" feels more secure (since theres no shenanigans like replicating a fingerprint to fool the biometrics scanner).

TLDR: I really want the "QuickUnlock" feature of Keepass2Android, but with the Google policy of having the signing keys, I'm kinda sus.

Am I overthinking this?

top 14 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 1 day ago

I have been using keepassdx for years and am happy with it

[–] [email protected] 11 points 1 day ago

It's KeepassDX for me, works great. If there is an F-Droid alternative then that is what I use.

[–] [email protected] 6 points 1 day ago

I use KeepassDX. Love it. I really like biometric unlock on apps, but I don't use it to unlock my phone.

[–] [email protected] 6 points 1 day ago

FYI The IzzyOnDroid repo still provides the Keepass2 Android Offline version.

[–] [email protected] 7 points 1 day ago (2 children)

Man, at this point you should think about your treat model. Are you a high profile target? If so, choose security over convenience, but if you only want your privacy, you probably can have a comfortable balance between security and convenience.

I use keepass2Android.

[–] [email protected] 11 points 1 day ago (1 children)

Man, at this point you should think about your treat model.

Terry finishes some paperwork and he gets a chocolate nib.

[–] [email protected] 1 points 1 day ago (2 children)

I mean, the 2 options I'm thinking is:

Use KeepassDX (installed via Fdroid) + Biometrics

(downside being the possibility of Biometric exploits)

Or

Use Keepass2Android + Quick Unlock (without biometrics)

(downside being Google doing malicious update)

Which would be the "more secure" option?

(I don't want to type the entire passphrase every time, that's all I care about, but still want the most secure option that's isn't too inconvienient)

[–] [email protected] 4 points 1 day ago (1 children)

That's what Arthur describes: you're comparing from my point of view two non issues against each other.

If you don't have the profile that either warrants:

  • Google would risk business revenue by having to handle a mittm attack done by them or
  • someone investing in an elaborate scheme to get a fingerprint copy

And that being worth it instead of just getting you personally is a very specific threat model where I lack the fantasy on what would warrant that.

Or to give the relevant xkcd:

https://xkcd.com/538/

And to answer your specific question: I personally went with keepass2android and have neither issues nor concerns so far.

[–] AnAmericanPotato 6 points 1 day ago (1 children)

Another issue with Google Play is that there's nothing stopping the developer from pushing out an update that doesn't match the published source. It isn't tied to GitHub or anything.

Developers with apps on Google Play are frequently targeted with buyout requests from scammers looking to get malware to an existing user base. Or even if it's not explicitly malware, it could be closed-source.

For example, the "Simple Mobile Tools" app developer sold their apps a year or two ago. Now they have ads, in-app purchases, and god knows what else. If you had installed them from Google Play, you would have received these updates automatically. Those new versions don't exist on f-droid, naturally. Anyone who was using them should really uninstall them and install the "Fossify" forks from f-droid.

Every developer ID publishing on Google Play is potentially for sale. There are no real safeguards against this, and you might never know. At least with F-Droid it's verified as open source and malicious (or just plain crappy) updates can be identified and dealt with, either by f-droid maintainers or by end users.

[–] [email protected] 2 points 1 day ago

Oh yeah I agree with that and s good point! Google Play Store is convenient but... Well I circumvent it where possible, more due to the tracking mania but your points added to my sensitivity,so thank you!

[–] [email protected] 3 points 1 day ago

Both are fine, take the easiest.

[–] [email protected] 5 points 1 day ago

You can also install K2A directly from github through obtainium or manually.

[–] [email protected] 2 points 1 day ago

i quite like authpass