Do not backup the password

Currently email password is stored in the backup. It would be more safe to have the user retype the password after importing backup, at least by default. This will also encourage using different app passwords with providers that allow it, e.g. on Fastmail or Yandex.

For burner accounts we still want to backup the password, because the user does not know it.

Authentication info should definitely be removed from backup in case of OAuth 2.0 authentication, as different apps are supposed to use different tokens. Does it even work currently when after multi-device setup, when one of the devices renews the token while the other one is not aware of that?


token of oauth is currently stored inside of core, but should be moved to app and possible even to build-secrets? (last point might be difficult to do with f-droid)

Looks like you are talking about permanent client_id. It’s ok that it is in the core, let’s say the core is the client, no need to change this. I don’t think it plays security role as it can be extracted from the APK anyway. I see it’s sole purpose as displaying registered DC logo on Gmail webpage during authentication :slight_smile:

I’m talking about “refresh token”, which we store in oauth2_refresh_token config variable. I think we should obtain a new one for each device instead of transferring it via backup. Otherwise we have multiple devices requesting access tokens via the same refresh token. Looks like it is possible to have multiple valid access tokens obtained with the same refresh token at the same time, but I don’t think it’s expected to be used like that.

1 Like

To consider, good team: people at large, neither like to care about keys nor would they really remember. As backup is required way to upgrade if not wishing to get served by large platforms, each upgrade try will simply cause losing 60% of user, 90% in the old world, simply by ask for the key. And how, if not via way of email/chat, would they renew of did they gain once?

There should be an option to keep the password in the backup, that’s why I say

This sounds like a bug though:

Official APKs and those downloaded from F-Droid should be upgradable without reinstallation. Only nightly versions require reinstallation.

good point
what if the backup file was password protected(maybe a randomly generated temporary password ) because it contains the keys, decrypted messages and email password?

perhaps another variant is, to be able to select what is saved in the backup,

checkboxes for:

  • messages
  • keys
  • passwords

all selected by default

1 Like