Password keeper paranoia

[xrunner]

I've read several threads about the "best" password keeper and I'm trying to decide between Keepass and Mindwallet.

On the one hand, Keepass is open-source (which I consider a plus), but it uses SD storage. As it has been well documented, SD storage is not secure at all. So if there's an evil app installed that grabs all the data from my SD card, I would think a brute force attack on my Keepass file will allow the evil doer to have all my private information. I assume no one has found a way for Keepass to use the native storage on a Droid.

My other selected option is to go with Mindwallet, which is not open-source and thus we don't know everything the developer is doing with the full network access. This is NOT to say the developer is a bad person --- I have no idea what type of person he is. He could be a saint, but I don't know that. Is there a way to lock the network access for this app or some other way to ensure the app won't attempt to send my data where it does not belong? I do like the way Mindwallet works and that it doesn't require using SD storage. So, please, I'm not implying anything personal about the developer.

I know, I'm paranoid. Is there a way to use either of these apps by mitigating my concerns? Thanks!

 

[AngryHatter]

Since you already know you are paranoid, I'll assume you were just venting.

If either were compromising owners, don't you think you'd have seen that too when you googled the apps?

 

[jae_63]

If you're rooted and you know which SD directory is used by Keypass, then you could symbolically link that directory name into a directory in your device's memory. Caveats regarding potential loss-of-data apply.

 

[xrunner]

@AngryHatter: I am paranoid, but that doesn't mean that apps don't take advantage of all the security lapses. There are plenty of well published holes with Android. Are there web sites that specifically publish errant apps?

@jae_63: That's an interesting idea. I haven't rooted yet, but have considered doing it. Would the symlink be secured with the device memory authority or the "public" authority of fat32?

 

[AngryHatter]

For all the "well known holes" there have been very few attempts at malicious code for the phone.
The biggest barrier the smart user, the second being the Market.

 

[Rootmepls]

I've used keepass for years and with the addition of using it with Dropbox I can sync my passwords between all my computers and phone by exporting the keepass db into it. I've never worried about using keepass. Just make sure you have a strong master password. Never heard of it getting cracked yet.

 

[jae_63]

@jae_63: That's an interesting idea. I haven't rooted yet, but have considered doing it. Would the symlink be secured with the device memory authority or the "public" authority of fat32?

I'm not sure what you mean, but since the symbolic link would be stored on the SD card, it would just be a pointer into the in-memory filesystem. So if you lose your phone but successfully execute a remote-erase procedure on the device's memory, then the link would point to nowhere, and your password file would be irretrievable by a 3rd party, even if they recover your unerased SD card.

 

[xrunner]

I'm not sure what you mean, but since the symbolic link would be stored on the SD card, it would just be a pointer into the in-memory filesystem. So if you lose your phone but successfully execute a remote-erase procedure on the device's memory, then the link would point to nowhere, and your password file would be irretrievable by a 3rd party, even if they recover your unerased SD card.

Ah, good question. I wasn't thinking about if the SD card was lost, so you've got a good point for that situation. I was concerned about apps that have access to the SD card. Being fat32, there is no security: all information is available to any app that has read access to the SD card. So I'm assuming that the symlink would also give access to keepass file in the device memory (I'm not sure about this assumption). Granted, this file is still encrypted.