What is Keepass2Android
KeePass is a fantastic free and open source (FOSS) password manager. Out-of-the-box, it offers features that match any of its commercial rivals, and these can be expanded upon with a wealth of open source plugins. Unlike most commercial password managers, KeePass is end-to-end secure. Your password files are encrypted by yourself, and only you (or someone you have authorized) can open them. KeePass’ open source code has now been fully audited by the European Commission's Free and Open Source Software Auditing (EU-FOSSA) project. The core KeePass program is Windows-only, but approve ports are available for most platforms.
There are a number of KeePass ports for Android. Most of these are open source and can open and manipulate regular KeePass files. I use KeePass2Android because:
- It has much better Android integration than other open source KeePass ports.
Or, indeed, than most commercials products I have reviewed. I must admit, though, it is not as elegant as the browser integration offered by Sticky Password.
- It does not rely on Android’s insecure clipboard function to work.
Both of these advantages are related to KeePass2Android’s custom keyboard feature (see below).
The main downside of KeePass2Android is that it is only available via the Google Play Store, and is therefore updated via Google Play Services. This means that, in theory, Google could slip malicious code into an update at any time. After assessing my threat model I am comfortable with the trade-off between this risk and the advantages listed above. For anyone who is (quite understandably) Google-phobic, I recommend using either KeePass DX or KeePass Droid instead. Both of these apps are available from F-Droid and mitigate the clipboard problem with a clipboard timeout. This is not as secure as KeePass2Android’s keyboard solution, but does minimize the problem.
The Keepass2Android Keyboard
Most Android password managers (including most KeePass ports) work using Android’s built-in clipboard function. This allows you to copy and paste usernames and passwords from an opened KeePass database to the app or webpage where they are needed. However:
“Many [password] apps completely ignore the problem of clipboard sniffing, meaning that there is no cleanup of the clipboard after credentials have been copied into it. [...] We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using 'hidden phishing' attacks.
KeePass2Android solves this problem by providing its own keyboard. This can directly access the KeePass database and enter usernames and passwords into forms without the need to store data on Android’s clipboard. The keyboard is also good for Android integration, as it works with all apps. There is no need for any form of custom integration or browser add-on. It can be installed alongside other keyboards, can be easily swapped in and out with other keyboards.
I find the KeePass2Android keyboard a little basic for day-to-day use as an Android keyboard. It features no text prediction, for example, no personalized auto-correct, or fancy swipe-input.
But this is not necessarily a bad thing. These features are a serious privacy risk. The KeePass2Android keyboard, on the other hand, is completely self-contained and sends no information to anyone.
Again, after assessing my threat model, I am comfortable sacrificing a little privacy for convenience, and therefore only use the KeePass2Android keyboard for entering passwords. Sorry, but I am just lazy! For the seriously privacy-conscious, however, the KeePass2Android keyboard would make a great daily driver.
Keepass2Android Cloud Syncing
It is easy to securely sync passwords across devices using any cloud service. This includes the likes of Dropbox and Google Drive. Before you object, I am well aware that services such as this are a privacy nightmare. The thing is, though, that it doesn’t matter. Each KeePass .kbdx file is encrypted by yourself using rock-solid encryption. By default, KeePass 2 uses an AES-256 cipher with SHA-256 hash authentication. This is very secure, but even stronger options are available. The only way to access the file is using a master password which should be known only to yourself. So pick a good one! There is also the option to further improve security by requiring that a key file (created by yourself) be present when opening the .kbdx file. In other words, no-one is going to open a properly secured KeePass file, no matter how publically it is stored. The truly paranoid, however, can store a .kbdx file locally on their Android devices and manually synchronize it with .kdbx files stored on other devices using a USB cable or suchlike. If you do not plan on using KeePass2Android’s online syncing features then you can use install the offline-only Keepass2Android Offline instead. Passwords are synced online whenever you save changes to the database. This because all your KeePass programs on all your devices can access the .kbdx file.
Setting up and opening a KeePass2Android database
Please note that KeePass2Android’s security policy no longer permits screenshots to be taken of open databases. In order to illustrate how KeePass2Android works, I have therefore used some screenshots from Google Play Store. Install Keepass2Android Password Safe from the Google Play store. The only required privileges are:
- SD Card access
- Internet access (install Keepass2Android Offline if you don't want to grant this privilege)
Thanks to its open source end-to-end nature, KeePass is the only password manager I really recommend. KeePass2Android is a great port of it. It is fully compatible with regular KeePass 2.x database files, syncs across devices seamlessly, and integrates far better with Android than any other KeePass port I have tried. Its reliance on Google Play Services is a drawback, and it would be great to see an F-Droid version of the app. For me, however, this issue is compensated for by the extra security afforded by the dedicated keyboard input method.