Hi all. Zaur here, the author of the audit report.
Thanks a lot for the feedback here. I've decided to clarify some points and also introduce changes to the most recent audit PDF. https://molotnikov.de/keepassxc-review
- The links in the most recent review version are now highlighted with blue.
- I did not yet have a too deep of a look in Keepassium, KeepassDX, or browser extensions, although, I know these exist. On my radar, need to find time and dive deep!
- The not reviewed features by me are just not reviewed yet. I wouldn't call them scary. The use of them is optional btw. Again, need to find time and look deeper. It is also a tip for other researchers where to look next.
- My review contains certain subjective statements like on quality of code, and on recommending the use of KeePassXC. Well, my goal was to inspect an offline, without servers, subjectively likeable and recommendable from the UI/UX perspective tool, because the main problem with the password managers is that they are still not used enough in the wild. I have found a subjectively good desktop UI, checked the code quality (structure, availability of tests, clean use of C++ and Qt), could see sound modern crypto, and.. proceeded to solving a bigger problem - recommending the use of it. Making the judgment for the potential review readers, to whom the deep details are too much to interpret, and who need a simplified answer, what to incline toward, if to rather use it or not... I noted though for the next reviews to avoid too general judgements.
- Personal questions on who Zaur is, and why my opinion matters.. :) Well, the CV is pointed to, I know applied security and applied crypto, I have 6 years professional experience with C++. I code and review projects for security daily. No complex and working software is ideal and perfectly secure. Plenty of software online is low-bar in secuirty. I had capacity to check the basics and a little beyond them for KeePassXC, and put my subjective judgment here on the right side of the weights.
- Loved the discussion on mobile phone and multi-device sync. Syncthing and other suggestions. On an iPhone nothing really works very well, as files are compartmentalized per app... For those of us who only need a few passwords on mobile, it is recommendable to create a separate small database with only those passwords, and use it readonly on the mobile.
When you evaluate Keepassium could you look into if the application honors not contacting anything on the internet? For me this is a major point of feeling secure when using the application and iOS has no way to block apps from accessing the internet.
You can also directly verify these claims using the App Privacy Report. It's a system feature that shows which domains an app contacted over the last 7 days (and how often). And it works for all apps.
Unfortunately, there is no way to _enforce_ the offline behavior of an iOS app, but being able to monitor it is already something.
Thanks a lot for the feedback here. I've decided to clarify some points and also introduce changes to the most recent audit PDF. https://molotnikov.de/keepassxc-review
- The links in the most recent review version are now highlighted with blue.
- I did not yet have a too deep of a look in Keepassium, KeepassDX, or browser extensions, although, I know these exist. On my radar, need to find time and dive deep!
- The not reviewed features by me are just not reviewed yet. I wouldn't call them scary. The use of them is optional btw. Again, need to find time and look deeper. It is also a tip for other researchers where to look next.
- My review contains certain subjective statements like on quality of code, and on recommending the use of KeePassXC. Well, my goal was to inspect an offline, without servers, subjectively likeable and recommendable from the UI/UX perspective tool, because the main problem with the password managers is that they are still not used enough in the wild. I have found a subjectively good desktop UI, checked the code quality (structure, availability of tests, clean use of C++ and Qt), could see sound modern crypto, and.. proceeded to solving a bigger problem - recommending the use of it. Making the judgment for the potential review readers, to whom the deep details are too much to interpret, and who need a simplified answer, what to incline toward, if to rather use it or not... I noted though for the next reviews to avoid too general judgements.
- Personal questions on who Zaur is, and why my opinion matters.. :) Well, the CV is pointed to, I know applied security and applied crypto, I have 6 years professional experience with C++. I code and review projects for security daily. No complex and working software is ideal and perfectly secure. Plenty of software online is low-bar in secuirty. I had capacity to check the basics and a little beyond them for KeePassXC, and put my subjective judgment here on the right side of the weights.
- Loved the discussion on mobile phone and multi-device sync. Syncthing and other suggestions. On an iPhone nothing really works very well, as files are compartmentalized per app... For those of us who only need a few passwords on mobile, it is recommendable to create a separate small database with only those passwords, and use it readonly on the mobile.