RE: App security (new KeepassRX app)

@t12392n said in App security (new KeepassRX app):

A local Keepass should not talk to the internet.

Where did you get the idea that it does?

@arubislander said in App security (new KeepassRX app):

If the app is confined (as this one is) you don't need to blindly trust that the package in the open store was compiled by the code that is linked, to be sure it doesn't phone home. If you know what to look for, you can download the .click package and examine the contents.

All versions of OpenStore also show the permissions list and that should be the first thing people check, can't expect non-technical users to unpack clicks before installation.

Kind of related, we should probably update the popup when you install from a local .click file to show more info and definitely show permissions.

@arubislander it can't be both confined and exempt (if it actually is we have a serious problem)

maybe the thread should be locked for new replies

For future readers - they are not sorry. It's just yet another attempt at gaining sympathy after going a step too far (this time after they got timed out on Telegram).

They argue in bad faith and seem to think they are always the smartest person in the room, forcing their genius ideas on everyone. And once that's rejected they go with some sob story about how they just wanted to help and are being treated unfairly.

Let's not feed the troll.

@arubislander the HA app you linked is just a webview, not sure why people bother uploading these

Interesting, though it needs Qt 6 afaict. Still nice, I was waiting for servo to get a bit better scores on the WPT tests before trying to run it on UT, but maybe it's worth looking into for some simpler sites.

@reeered start by restoring your device with Xiaomi's tool: https://forum.xda-developers.com/t/miflash-guide-use-xiaomi-flash-tool.4262425/

@Moem a bit too much happening at work, I didn't have the energy to do anything buuuut we did figure out that Pebbles work fine on focal, the issue is in the RockWork app and it would need a reimplementation - probably less work for me to add Pebble support to mine once it actually exists.

Other than Pebble, I definitely plan to support PineTime (with Infinitime) from the start since it seems like the second most popular one.

@mymike Btw some watches require an account to set up, so I plan on having some functionality for that anyway - might be able to pull data from a Garmin account too if they are not changing that too frequently.

Ah, I didn't see the uWatch app before, I guess it was never in OpenStore? Based on the limited number of responses it lookes like PineTime might be the second most popular one after Pebble. I also had no idea it shipped with a default OS, no info on the store page (but that makes things easier).

@mymike Which model is that? I'll probably get a Garmin once I get back to running properly Though if it syncs with WiFi a lot of the functionality might not be possible without an account and the official app. Sniffing BT is not hard, but the log file contains all Bluetooth traffic the phone participated in, and even if you filter it for the watch only, that can potentially still contain personal/confidential information (notification content, health data, etc). Not something you want to share imo.

Oh fun, PineTime uses the same IC that Bangle.js 2 uses, so the OS I'm making for that would also work on PineTime

@wgarcia Do you mean PineTime or did they release something new? PineTime is a bit complicated, because there are so many options for the OS - so I guess it would rather be "support for Infinitime OS watches" rather than PineTime specifically.

So for PineTime if everyone could also mention the OS they are using on it it would be nice (and if you are running any non-stock OS on any other watch it would be good info as well, AsteroidOS is probably popular but there might be more).

While waiting for my Pebble Steel to arrive (so I can debug why it refuses to work on more recent BlueZ) I'm working on an app for a few smartwatches/bands I have (generic M16-mini, Amazfit Bip, Bangle.js 2, possibly Amazfit Stratos and Huawei Band 7).

I'll make it generic enough to make it easy to add new watches/bands (but at the same time support as close to 100% of the device functionality as humanly possible), but if there is a particular device a lot of people use or want to use I could try to get it and add it in the first release.

@MrT10001 This is very weird, because we ship all the executables in the installer itself. On Windows I would guess that maybe when you install adb/fastboot you also get the drivers, but that definitely doesn't happen on any Linux distro.

What happens if you try to use the installer without having these installed on your system?

@domubpkm I have a plan and did some research, but no concrete implementation yet - I do think I could start some tests in the near future though. I'll keep you all updated in this thread.

Just to clear some stuff up.

@MrT10001 said in 0.9.10-beta failure on Ubuntu:

I have the latest ADB and fastboot which is working with all else.

The installer has its own adb and fastboot, it won't use the system ones unless you tell it to.

@MrT10001 said in 0.9.10-beta failure on Ubuntu:

At the moment the 0.9.7 installer is stable and fine.

@stanwood said in 0.9.10-beta failure on Ubuntu:

@domubpkm Don't know it it's related, but I've got an error message when opening UBports Installer.
It says that I run the 9.7 pre-release, which is however the stable release.

Doing a snap refresh command returns that I'm running the latest stable software...

There was an issue with the version check, will be fixed in the next release.

I'm not sure who decided to put clearly marked beta versions on a stable channel, but until you see a 1 at the start of the version none of them is going to be more stable than the other. If you have issues with some version I'd start by using AppImage instead of an older version - snap is very often the reason for USB issues and generally newer versions have important bugfixes.

@keneda Oh, I misunderstood your post as recommending the 12 character, text field and manual submit as the requirements for the screen lock, sorry

@keneda That's how you end up with "password123" everywhere. Not everyone stores sensitive data on their phone + as long as the bootloader is unlocked and data unencrypted any point about security is moot

@kugiigi It's a pin code, security is not improved that much by not showing the length - best UX would be to offer a choice.

But if we are not saving the length then it should start with no circles - we could show some helper text like "enter PIN" and "enter PIN or use the fingerprint scanner" if that's also set up.

The circles could show up empty and fill over ~200ms to preserve the current design a bit too.

Also, @lduboeuf why 12 as the new limit?

@marekf Using the installer is the only supported installation method, this doesn't change with focal.