Do not backup the password

link2xt · March 17, 2021, 2:24pm

Currently email password is stored in the backup. It would be more safe to have the user retype the password after importing backup, at least by default. This will also encourage using different app passwords with providers that allow it, e.g. on Fastmail or Yandex.

For burner accounts we still want to backup the password, because the user does not know it.

Authentication info should definitely be removed from backup in case of OAuth 2.0 authentication, as different apps are supposed to use different tokens. Does it even work currently when after multi-device setup, when one of the devices renews the token while the other one is not aware of that?

Simon · March 17, 2021, 5:56pm

token of oauth is currently stored inside of core, but should be moved to app and possible even to build-secrets? (last point might be difficult to do with f-droid)

link2xt · March 17, 2021, 7:36pm

Looks like you are talking about permanent client_id. It’s ok that it is in the core, let’s say the core is the client, no need to change this. I don’t think it plays security role as it can be extracted from the APK anyway. I see it’s sole purpose as displaying registered DC logo on Gmail webpage during authentication

I’m talking about “refresh token”, which we store in oauth2_refresh_token config variable. I think we should obtain a new one for each device instead of transferring it via backup. Otherwise we have multiple devices requesting access tokens via the same refresh token. Looks like it is possible to have multiple valid access tokens obtained with the same refresh token at the same time, but I don’t think it’s expected to be used like that.

SamanaJohann · March 18, 2021, 7:58pm

To consider, good team: people at large, neither like to care about keys nor would they really remember. As backup is required way to upgrade if not wishing to get served by large platforms, each upgrade try will simply cause losing 60% of user, 90% in the old world, simply by ask for the key. And how, if not via way of email/chat, would they renew of did they gain once?

link2xt · March 18, 2021, 8:33pm

There should be an option to keep the password in the backup, that’s why I say

This sounds like a bug though:

Official APKs and those downloaded from F-Droid should be upgradable without reinstallation. Only nightly versions require reinstallation.

vbeh · May 7, 2021, 1:40am

good point
what if the backup file was password protected(maybe a randomly generated temporary password ) because it contains the keys, decrypted messages and email password?

agutierrez · May 8, 2021, 11:00pm

perhaps another variant is, to be able to select what is saved in the backup,

checkboxes for:

messages
keys
passwords

all selected by default