24 June 2010

Storing passwords and other secure data - migrating from HandySafe Pro to an Android solution

One of the biggest issues for me - and other ex-Symbian users - was the lack of an encypted home for my passwords and other little useful snippets of information. HandySafe Pro gave me a (paid) synchronised Windows and Symbian where I had access to my passwords on 2 Windows PCs (home and work) and a Symbian handset, and synchronisation between them - in this case via the phone, using PC Suite.  I needed something that would give me the same functionality with an Android handset.
Yes, Evernote (at least the Premium version) allows me to encrypt snippets of text for privacy, but I had a whole database of information already in HandySafe Pro that I needed to migrate to a solution that would allow me to access the same information on my desktop PCs and Android handset.

Android/Windows software candidates
The biggest hurdle to cross appeared to be the fact that HandySafe Pro will only export in XML format ... and almost everything else I could find in the Android Market will only import from CSV files (and they would no doubt involve a lot of tweaking in Excel -  or in my case OpenOffice Calc - before I could actually transfer the data, even if I could do the initial, non-trivial conversion from XML to CSV - not an option I relished taking on).  
One option that I looked at was LastPass - an online encrypted system.  It's free for Windows / Mac / Linux, and the Premium version ($1 per month) gives you access to imports from other systems, plus the Android client (which is also available as a free 14-day trial).  I wasn't entirely sure that I wanted to commit my data to an online service, but given Lastpass's assurances, I was prepared to give it a go (with the thought that I would perhaps restrict storage of really sensitive stuff such as banking information to only those bits I couldn't remember, thus still making it difficult for anybody to access my financial info just using the information stored there). Their website suggested asking them if there was an import option that wasn't already available, so I fired off a question to support asking whether they currently support or had plans to support import from HandySafe Pro / XML files.  Now maybe something has gone wrong in the submission process, but I still haven't received an answer.
So, back to the drawing board.  
I looked at B-folders, which has a free Android app and paid ($29.95) Desktop version, but I never got around to trying it, as it wouldn't import Handysafe XML files.  Note that B-Folders styles itself a general note-taking / GTD app, as well as a secure password repository.  Synchronisation is done using SSL with no intermediary.  In practical terms, I'm not sure how I'd sync my home and work computer using this model, since (apart from the simple issue of them being able to "find" each other) my work PC is normally logged off when I'm at home and my home laptop is switched off when I'm at work.  And I don't have WiFi at work to synchronise with/via the phone.  
Then I found KeePassDroid in the Marketplace.  I had already tried the Open Source KeePass Windows application a few years ago, but never found a compelling reason to use it while I had HandySafe working so well for me. KeePassDroid only supported the .kdb file format used by KeePass 1, but there were requests to support KeePass 2's .kdbx files.  With all this in mind, I had another look. KeePass 2 on Windows is a little more user-friendly than I remember the original being (although I may be kidding myself - it was a few years ago), but unlike KeePass 1 it does use the .NET framework. However, its trump card was that KeePass 2 could import HandySafe pro XML files.  There's a full list of other file formats and password managers that KeePass can import from and export to on the Import/Export help page. Also, it's possible to export from KP2 to the older .kdb format (and CSV and others), so if nothing else, I could use KeePass2 as a stepping stone to another solution. 
Then, before I'd got round to doing the conversion, I got a notification that the latest KeePassDroid had (beta) read-only support for .kdbx files. What's more, I came across an old LifeHacker article on using Dropbox for KeePass synchronisation across machines.  In fact, KeePass Droid's FAQ page also suggests Dropbox for synchronisation.  I was already a long-time (free) Dropbox user on Windows, and had the Android Dropbox client too, so all of a sudden, this was starting to sound like a workable solution.

Synchronisation and Security
If the thought of even your encrypted data being in the cloud worries you, both KeePass and KeePassDroid support the use of Keyfiles - either instead of or in addition to your keyphrase.  If you use a keyphrase AND a keyfile, then you can add an extra level of security by putting your keyfile on the devices you want to access your password database from, and DON'T put it on Dropbox (or your chosen online syncing solution) - no access to the data IN the cloud, because the keyfile isn't there.  Just make sure you have a safe backup of it somewhere you CAN retrieve it from if disaster strikes.
Both the desktop and Android versions allow you to save or not save the location of the keyfile, so if you choose not to save it, that makes it even more difficult for people to hack your data. And it goes without saying that the longer and more convoluted your passphrase is, the less easy it will be to hack.  Obviously, that has to be tempered with ease of actually entering the passphrase on a small/touchscreen device. There's no reason why you can't have more than one keyfile though, so you could choose an easy-to-enter passphrase for the less sensitive data, and a fiendishly difficult one for the more sensitive stuff.  
Note that if you use Dropbox to sync the files, the Dropbox client on Android doesn't monitor and update files on the fly in the same way that it does on Windows, so if you want to make sure you have the most up to date password file, you'll need to navigate to it via the Dropbox UI and open it from there, rather than opening it directly from KeePassDroid.  On the other hand, you can use that to your advantage if you don't want to "waste" data by updating the file over 3G to get access to information that you know hasn't changed since the last sync.  Just use KeePassDroid directly to open the file that currently exists on your device.  You don't have write access to the data, so you can't get out of sync with your up to date master copy.  
If you don't fancy sending your data via the cloud at all, there's still good ol' manual file transfer between PC and phone - using either ftp or USB.  In this case, since there's no record-by-record sync tool, being read-only on the phone can be considered an advantage, since there's no chance for different things to have been changed in two places since the last sync (something that shouldn't be an issue for the Windows update-on-the-fly Dropbx client). 
KeePass for Windows is also available in Portable form, so you can carry both the application and data on a USB stick or SD card (within a file container encrypted with TrueCrypt for good measure, if you like) for a cloud-free, multi-PC solution, with manual syncing to the phone.  
As far as I'm aware, there is no Android version of Truecrypt, although I found a web page suggesting that the Linux version of TrueCrypt will run on Android, but it's no longer online, and I have no idea whether you would need to compile the source to get it to work.  If it would work, you could create a small encrypted file container within your Dropbox folder, and put your KeePass database in it for a double layer of security on the phone too.  However, I suspect that in practical use, it would be a bit of a pain to access the Truecrypt folder and then the KeePass database unless you're particularly paranoid ... or you're  planning to leave Government secrets in the back of a taxi.

The Conversion

The import of HandyPro's XML files seemed to go smoothly.  However, there isn't a one-for-one correlation between KeePass card fields and HandySafe Pro entry fields.  The import does appear to make some reasonable decisions based on the field names though.  KeePass is really aimed at website and their logins and passwords, so tries to match HandySafe's web-relevant fields to a card title, user name, password and URL. Anything it doesn't feel it can make intelligent decisions about gets put on an "Advanced" tab in KeePass - and the information in this advanced tab isn't available in KeePass Droid 1.5.3.

Of course, any conversion process will involve some things not going quite as smoothly as you might hope for.  In this case, because KeePass is really geared up for website passwords, KeePass Card Titles often appear with several pieces of comma separated information in them, especially for credit/debit/bank account cards (e.g. the HandySafe entry name and the Account name, which are often the same, plus account number in the title). The only obvious thing that I can see that doesn't get converted is the expiry date - that's put on the Advanced tab, rather than in KeePass's own expiry field. But at least all the information is there - as far as I can tell!

It'll take a little tidying up, which I can do piecemeal, as and when I have the time.  And of course anything on the Advanced tab won't appear in KeePass Droid, so it's not perfect - but it's still the best solution I've found.  

The Android App
KeePassDroid is a little utilitarian.  In its current form (1.5.3), it's not going to win any prizes for style, and I'd like to see some more font size choices (including something between the current Large and Medium) and for it to be able to display the icons that are used in the desktop version (including embedded custom icons).

On the other hand, its main function is to show you encrypted data on your handset, so I can live with the lack of frills in the display.

Screenshots courtesy of KeePassDroid's author.  
The default font size for the Group list (and items within the group) is enormous, but that can be changed in the settings (with choices of Small Medium or Large).  However, there appears to be a bug that requires you to exit and restart the app to see the change.  My own opinion is that the large font is way too large, but medium is a bit too small, and the small font makes it difficult to select the item you want from the list.  
Once your card is open, the font size for the header info is fine, but the detail is in a tiny font which isn't configurable.  

And, of course, as already mentioned, it doesn't display anything other than the "standard" KeePass 2.0 fields.  What I haven't tried is to convert a .kdbx file to a .kdb file and see if KPD handles that any differently.  Development seems to be fairly active, and it's definitely usable if not pretty, so it seems that I have a solution, and one which seems likely to improve.  

Functionally, the thing that would make the most difference will be if KeePassDroid starts to provide access to the String fields in the desktop version's Advanced tab.  

The best bit of all is that, although the developers of KeePass and KeePass Droid have the facility to accept donations so that we can all choose to support their efforts, this solution needn't cost you penny :o) - unlike HandySafe Pro.
Dropbox desktop is cross-platform (Windows, Max, Linux), and there are mobile clients for iPhone, iPad and Android, with Blackberry "coming soon".  
KeePass desktop is Windows only, but is supported under Mono on Macs and Linux boxes, and there are also Portable and U3 (USB stick) versions, and a contributed Linux version. There are contributed mobile apps for PocketPC, iPhone, Blackberry and PalmOS (convertor) ... and, of course, Android.
B-Folders desktop is cross-platform: Windows XP SP2, Windows Vista, Windows 7, Mac OS X 10.5+, Linux 32 and 64bit versions, and it supports import from eWallet - historically my Windows/WinMo solution from years ago.  Currently, the only mobile client runs on Android. 

1 comment:

Unknown said...

Thanks for the info. But I use Keepas and AndroXplorer v.3 now . :)