Douglas Crawford

Douglas Crawford

March 15, 2018

KeePass is a fantastic free and open source (FOSS) password manager. Out-of-the-box, it offers features that match any of its commercial rivals, and these can be expanded upon with a wealth of open source plugins.

Unlike most commercial password managers, KeePass is end-to-end secure. Your password files are encrypted by yourself, and only you (or someone you have authorized) can open them.  KeePass’ open source code has now been fully audited by the European Commission’s Free and Open Source Software Auditing (EU-FOSSA) project (summary here).

The core KeePass program is Windows-only, but approved ports are available for most platforms.

Visit KeePass2Android »

KeePass2Android

Keepass2Android Advantages

There are a number of KeePass ports for Android. Most of these are open source and can open and manipulate regular KeePass files.

I use KeePass2Android because:

  • It has much better Android integration than other open source KeePass ports.

Or, indeed, than most commercials products I have reviewed. I must admit, though, it is not as elegant as the browser integration offered by Sticky Password.

  • It does not rely on Android’s insecure clipboard function to work.

Both of these advantages are related to KeePass2Android’s custom keyboard feature (see below).

KeePass2Android Disadvantages

The main downside of KeePass2Android is that it is only available via the Google Play Store, and is therefore updated via Google Play Services. This means that, in theory, Google could slip malicious code into an update at any time.

After assessing my threat model I am comfortable with the trade-off between this risk and the advantages listed above. For anyone who is (quite understandably) Google-phobic, I recommend using either KeePass DX or KeePass Droid instead.

Both of these apps are available from F-Droid and mitigate the clipboard problem with a clipboard timeout. This is not as secure as KeePass2Android’s keyboard solution, but does minimize the problem.

The Keepass2Android Keyboard

Most Android password managers (including most KeePass ports) work using Android’s built-in clipboard function. This allows you to copy and paste usernames and passwords from an opened KeePass database to the app or webpage where they are needed. However:

“Many [password] apps completely ignore the problem of clipboard sniffing, meaning that there is no cleanup of the clipboard after credentials have been copied into it. […] We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks.”

KeePass2Android solves this problem by providing its own keyboard. This can directly access the KeePass database and enter usernames and passwords into forms without the need to store data on Android’s clipboard.

The keyboard is also good for Android integration, as it works with all apps.  There is no need for any form of custom integration or browser add-on. It can be installed alongside other keyboards, can be easily swapped in and out with other keyboards.

KeePass2Android

I find the KeePass2Android keyboard a little basic for day-to-day use as an Android keyboard. It features no text prediction, for example, no personalized auto-correct, or fancy swipe-input.

But this is not necessarily a bad thing. These features are a serious privacy risk. The KeePass2Android keyboard, on the other hand, is completely self-contained and sends no information to anyone.

Again, after assessing my threat model, I am comfortable sacrificing a little privacy for convenience, and therefore only use the KeePass2Android keyboard for entering passwords. Sorry, but I am just lazy! For the seriously privacy-conscious, however, the KeePass2Android keyboard would make a great daily driver.

Keepass2Android Cloud Syncing

It is easy to securely sync passwords across devices using any cloud service. This includes the likes of Dropbox and Google Drive. Before you object, I am well aware that services such as this are a privacy nightmare. The thing is, though, that it doesn’t matter.

Each KeePass .kbdx file is encrypted by yourself using rock-solid encryption. By default, KeePass 2 uses an AES-256 cipher with SHA-256 hash authentication. This is very secure, but even stronger options are available.

The only way to access the file is using a master password which should be known only to yourself. So pick a good one! There is also the option to further improve security by requiring that a key file (created by yourself) be present when opening the .kbdx file.

In other words, no-one is going to open a properly secured KeePass file, no matter how publically it is stored.

The truly paranoid, however, can store a .kbdx file locally on their Android devices and manually synchronize it with .kdbx files stored on other devices using a USB cable or suchlike. If you do not plan on using KeePass2Android’s online syncing features then you can use install the offline-only Keepass2Android Offline instead.

Passwords are synced online whenever you save changes to the database. This because all your KeePass programs on all your devices can access the .kbdx file.

Visit KeePass2Android »

Using Keepass2Android

Setting up and opening a KeePass2Android database

Please note that KeePass2Android’s security policy no longer permits screenshots to be taken of open databases. In order to illustrate how KeePass2Android works, I have therefore used some screenshots from Google Play Store.

Install Keepass2Android Password Safe from the Google Play store. The only required privileges are:

  • SD Card access
  • Internet access (install Keepass2Android Offline if you don’t want to grant this privilege)
  • Vibrate

When you first open KeePass2Android you have the option to either open an existing KeePass database (.kbdx file) or create a new one.

If opening an existing .kbdx file, KeePass2Android supports a wide selection of popular cloud services, plus various self-hosting solutions (including local storage). Simply sign-in to your chosen service/personal solution if necessary, and browse to your stored .kbdx file.

Alternatively, you can create a new KeePass database. By default this uses an AES-265 cipher, but you can change this to a ChaCha20 or Twofish-256. Key derivation used is AES-KDF with 500000 encryption rounds by default, but can be changed to Argon2 if you prefer.

You can also create a key file to improve security. This file must be present for the database to be opened. This file should not be stored online. You should instead store copies of it locally on any device you want to open the KeePass file with (or for the really paranoid, carry a single copy of it around with you on a USB stuck or suchlike).

For more information on creating a KeePass database, please see my full KeePass Review.

Once a .kbdx has file has been located or created, you can open it in two or three ways:
  1. Password unlock – simply enter the full password or passphrase you created when setting-up the database.
  2. Quick unlock (optional) – if a database has already been opened using its full password/passphrase, then it can be quickly reopened using just the last few letters of the password/passphrase (three by default). This is, of course, not as secure as using the full password each time. But it is very convenient, and it is pretty secure. When using 3 characters and assuming 70 characters in the set of possible characters, an attacker has a 0.0003% chance of opening the file. If this sounds still too much for you, choose four or more characters in the settings.
  3. Fingerprint unlock (optional). If your device has a fingerprint scanner then you can use it to unlock a .kbdx file. This replaces the need to enter either the full password or just the Quick unlock password.

In all cases, the key file must be present if the .kbdx database requires one.

The database

Passwords can be organized into groups.

You can create new passwords, inspect, and edit password details.

Android Integration

You can cut and paste usernames and the passwords from the database, but as discussed earlier, this not very secure. The problem is mitigated by a clipboard timeout (default 5 minutes, but this can be changed), but it is also rather cumbersome.

Where KeePass2Android is miles ahead of its rivals, however, is in its Android integration.

Keyboard Input

The main way KeePass2Android integrates with Android is via its keyboard. This is installed alongside the main app and can be hot-swapped with your regular keyboard if desired. It is the most secure way to input credentials and is fairly convenient. It also works with any password field in any app.

On my Samsung phone it is dead easy to switch between keyboards once they have been setup.

To enter usernames and passwords into any web page or Android app, select the keyboard’s special KeePass icon. This brings up the option to select an entry from your KeePass database or let KeePass2Android try to Search for the correct one for you.

I must admit that I find the search function to be a very hit and miss, so usually just opt to select an entry myself. If the KeePass database is not already open, then you will need to open it using one of the methods outlined above.

Once the correct entry is found or selected, KeePass2Android enters autofill mode. Simply select the correct entry field, and choose either User or Password and the keyboard will enter the information. Easy!

You can switch back to the conventional keyboard by touching the ABC button.

Browser integration

On a web page with a login, simply use your browser’s Share feature to share with KeePass2Android.

Unlock your KeePass database, and KeePass2Android should already have found the correct entry(s). I find searching for entries in this way to be more effective than using the keyboard search function.

You still need to use the KeePass2Android keyboard in autofill mode to enter the details unless you have the KeyboardSwap for Keepass2Android plugin installed and correctly configured.

Keepass2Android: Conclusion

Thanks to its open source end-to-end nature, KeePass is the only password manager I really recommend. KeePass2Android is a great port of it. It is fully compatible with regular KeePass 2.x database files, syncs across devices seamlessly, and integrates far better with Android than any other KeePass port I have tried.

Its reliance on Google Play Services is a drawback, and it would be great to see an F-Droid version of the app. For me, however, this issue is compensated for by the extra security afforded by the dedicated keyboard input method.

Visit KeePass2Android »

Douglas Crawford

Written by

Published on: March 15, 2018.

August 7th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

6 responses to “KeePass2Android Review – How to Cloud Sync Keepass2Android

  1. I would like to use Keepass2 android. Is there any way to download it onto my desk top pc also, besides my android phone so that I can do all of my original entries with a keyboard instead of on the telephone?

  2. I have my kdbx file synched to my Dropbox and keypads fill on Google Drive .. you need both ( plus obviously my password ) … chances of both Dropbox and Google drive compromised at the same time are virtually nil.

  3. Moved my .kdbx file to my BLU android but it’s not recognizing my master key. Necessary to install new one?

    1. Hi James,

      Hmm… It should recognize your master key (I sync my .kdbx file with my Android phone via Dropbox.) Maybe the file got corrupted somehow during the transfer process? All I can suggest is to verify that the original works with your password on your desktop, then transfer over again. Note that if you do not sync the file via a cloud service such as Dropbox, new passwords saved on one platform will not be available on your other devices…

Leave a Reply

Your email address will not be published. Required fields are marked *