The one with a password manager: mobile apps

The one with a password manager: mobile apps

In previous posts of this series I talked about pass and Browserpass, the desktop utility and the browser extension I use to manage my passwords in Ubuntu Mate 22.04. I recommend you to first read those posts in case you are unfamiliar with the concept of password manager or password store.

Today I'd like to talk about Password Store, an Android client for pass that aims to implement most of its capabilities; and OpenKeychain, an OpenPGP implementation for Android.

In case you're an iOS user, definitely this is not the post you're looking for, but the good news is that passfarios gets you covered as well.

Now let me introduce you to both apps.

Password Store

Official binary releases are available through 4 different channels, each serving their own purpose.

Play Store and GitHub Releases always contain the latest stable release. At the moment of writing the latest version is 1.13.5, released on July 28, 2021.

F-Droid is a FOSS-only store (Free and Open-Source Software) that takes the open source code and generates their own builds from it. F-Droid usually lags behind primary release channels, and a subset of functionality might be missing due to the requirement that binaries only contain FOSS code.

GitHub Releases contains both the free and nonFree variants, of which the nonFree variant then gets uploaded to the Play Store and the free variant to F-Droid. More details in the page about build types.

Snapshot builds are generated on each push to the development branch and may contain unfinished and broken features, or more often, early access to bugfixes. These also ship with additional debugging code that simplify reporting of issues.

The project is in the process of rewriting the documentation from scratch. The work-in-progress state is available here and the old documentation is available in the wiki.

GitHub Discussions can be used in case you don't understand something, or want to discuss a feature request in more detail with all community members before pitching it to maintainers.

Some highlights:

  • Autofill on Android 8 and above.

  • Access to the password store protected with fingerprint.

  • Passwords copied to the clipboard for 45 seconds (by default, time is configurable).

  • In-app SSH key generation to clone, pull changes from and push changes to the password store repository.

  • Full management of secure passwords within the app.

OpenKeychain

It's a free software based on the well established OpenPGP standard making encryption compatible across devices and systems.

The app is available through 2 different channels: Play Store and F-Droid. At the moment of writing the latest version is 5.8.2, released on January 7, 2023.

However, the project is in maintenance mode since August 2021:

WARNING: This software is no longer actively developed. We will still apply security fixes where reported, and do basic maintenance work, but no new features or will be worked on. We will try to consider and merge contributions where possible.

Most documentation is available in the wiki and other useful information is available in the FAQ page on their website. Among other interesting stuff, you could find information about security or how to import a backup with GPG.

The help page can be used in case you want to get in touch with the their community.

Configuration

I'll show you here only the configuration required to make both apps work together.

The first time you start Password store, you will see following screen:

Android Password Store app homepage

Press "Let's go" button to start configuring the app:

Select repository type

In my case, I've a remote repository on GitHub, so I choose "Clone remote repo".

Fill out the repository information with the remote URL, the branch and the authentication mode you prefer:

Repository information

If you try to save now without having an SSH key created, you'll see following error:

No SSH key error message

You can either import an existing SSH key or generate one for this purpose. I chose the latter option:

Generate SSH Key

In the project wiki there is more info about generating SSH keys.

Choose the desired type and press "Generate". The public key will be then displayed:

Public SSH key generated

If you try to save now without storing the SSH key on GitHub (or you Git server of choice), you'll be asked for the repository credentials:

Asking for Git server credentials

Obviously, that's not what we want, so the key must be stored on GitHub.

Go to https://github.com/<username>/<repository>/settings/keys:

List of deploy keys for remote repository on GitHub (currently none)

Go to https://github.com/<username>/<repository>/settings/keys/new ("Add deploy key" button) to add the SSH key:

Add SSH key on GitHub

I only use the app to read those secure passwords, so I don't check "Allow write access". Being so, bear in mind that in the app you will only be able to pull changes from the repo.

SSH key added to GitHub

Go back to the app and press "Clone" button:

Cloning remote repository

The result after the repository is successfully cloned:

Password store cloned from GitHub

Assuming you don't have OpenKeychain already installed, if you try to get any given password will result in following error:

OpenKeychain app missing error message

Once the app is installed, if you try again you'll see following dialog:

Allow access to OpenKeychain dialog

Without any GPG key in OpenKeychain yet, following error will appear:

Error from OpenKeychain: No encrypted data with known secret key found in stream!

Check details provided by Password Store about exporting a GPG key.

Next switch to OpenKeychain app:

OpenKeychain app homepage

Select "Import key from file" option:

Import keys

You can import the GPG key from the clipboard or from a file present in the device.

Right before importing the key, you'll see details about that key:

Details about the GPG key before importing it

Once the key is imported you'll see it listed in the app:

GPG key just imported

Go back to Password Store and you'll see the following dialog if you try to get any given password:

Allow Password Store access to OpenKeychain key dialog

Allow access and you'll be asked about GPG key password:

Enter GPG key password

The GPG key password will be remembered until cleared by default, but there are other options available as well:

Available options to remember GPG key password

At this point your password will be available in the clipboard for 45 seconds (default) and a notification will appear in your device:

OpenKeychain saved passwords notification

It's worth noting that if you left the default option when you entered the GPG key password, until you specifically clear the password you'll be able to access to any saved password without be asked again for it. Sometimes that's what you want, but sometimes it's not.

Let's improve the UX enabling the autofill feature.

At the top right of the main screen, select the three dots:

Main menu in Password Store app

Go to settings:

Settings options in Password Store app

Enable autofill feature:

Enable autofill dialog

Configure autofill service in Android:

Autofill service in Android

Select Password Store from the list and confirm that you trust the app:

Password Store as autofill service confirmation dialog

New options appear in the settings menu once autofill is enabled:

Autofill settings options

Example with any Android app, in this case Goodreads:

Goodreads with autofill options

Search in store for "Goodreads":

Search Goodreads in password store

Credentials are automatically filled once selected:

Goodreads credentials filled once selected

Next time, the password previously used is displayed at the top:

Display password previously used at the top

Example with any website, in this case GitHub:

GitHub with autofill options

And that's it. Both apps are correctly configured and working as one could expect.

Other options

If you recall, the SSH key didn't have write permissions, so you won't be able to push changes to the remote repo:

Error during Git operation dialog

You can edit Git server settings:

Edit Git server settings

For more security accessing the password store, enable biometric authentication:

Enable biometric authentication

In case you want to generate passwords from the app, you could select the generator type:

Password generator type

You could organize passwords as desired:

Create folders and passwords from Password Store app

Main menu in OpenKeychain:

OpenKeychain main menu

Encrypt and decrypt files and text:

Encrypt and decrypt options

Supported apps:

OpenKeychain supported apps

Backup and restore:

OpenKeychain backup and restore

Other settings:

Other OpenKeychain settings

Some information about any of your GPG keys is available:

OpenKeychain GPG key status

You could change the GPG key password or create a backup, for instance:

Menu options from the GPG key

New GPG keys can be added in different ways:

Add new GPG keys to OpenKeychain

Manage or update GPG keys:

Manage GPG keys

Advanced settings for a GPG key:

Advanced settings for a GPG key

Conclusion

I highly value the functionality provided by these apps, although I wish I didn't have to install 2 different apps for that. For a long time the maintainers of both projects have considered the possibility of making OpenKeychain a library rather than a separate app, but no progress have been made, let alone now that the project is in maintenance mode.

A new version of Password Store app has not been released in over 2 years, but taking a look at the activity in issues and pull requests merged the project seems to be active yet.

Either way, it's quite easy to configure both apps and making them work together. Not to mention that I haven't found any critical error so far, at least with the basic use I make of them.

Thank you for reading and see you in the next one!