https://redmine.stoutner.com/https://redmine.stoutner.com/favicon.ico?16699090422021-06-07T16:05:20ZStoutner - RedminePrivacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20412021-06-07T16:05:20ZSoren Stoutnersoren@stoutner.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> set to <i>Soren Stoutner</i></li></ul><p>WebView supports autofill in native mode. As you can see, all the browsers based on WebView in the list on the link you shared (Lightning, FOSS Browser) are listed as having native support.</p>
<p>I am doing nothing to prevent autofill from working in Privacy Browser. I also have no way of fixing any autofill bugs, as any problems would exist either in the code for WebView or in the code for KeePassDX's autofill implementation.</p>
<p>I would recommend making sure you have the latest version of WebView installed.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20422021-06-07T20:11:47ZJB Hétier
<ul><li><strong>File</strong> <a href="/attachments/166">Screenshot_20210607-215940_Navigateur_FOSS.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/166/Screenshot_20210607-215940_Navigateur_FOSS.png">Screenshot_20210607-215940_Navigateur_FOSS.png</a> added</li><li><strong>File</strong> <a href="/attachments/165">Screenshot_20210607-220123_Privacy_Browser.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/165/Screenshot_20210607-220123_Privacy_Browser.png">Screenshot_20210607-220123_Privacy_Browser.png</a> added</li><li><strong>File</strong> <a href="/attachments/167">Screenshot_20210607-220937_Lightning.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/167/Screenshot_20210607-220937_Lightning.png">Screenshot_20210607-220937_Lightning.png</a> added</li></ul><p>I just tried with FOSS Browser and Lightning and it works.<br />The behavior is indeed different as you can see in the two screen captures. I took motogp.com as an example but it's the same on every site I tried.<br />I tried switching Privacy Browser to a "light" theme as it was the only obvious difference.</p>
<p>I am sorry insist, but there seems to be an issue in Privacy Browser.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20432021-06-08T02:26:54ZSoren Stoutnersoren@stoutner.com
<ul></ul><p>Looking at the screenshots you posted, I would guess that, at a minimum, you would need to enable JavaScript, maybe enable DOM storage, and possible disable some of the blocklists for the password manager to integrate with the WebView.</p>
<p>Along those lines, I would recommend you read the following URL regarding the negative security and privacy implications of integrating a password manager with a web browser: <a class="external" href="https://lock.cmpxchg8b.com/passmgrs.html">https://lock.cmpxchg8b.com/passmgrs.html</a></p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20442021-06-08T06:32:19ZJB Hétier
<ul></ul><p>Thanks for the feedback.</p>
<p>Unfortunately, enabling DOM storage and disabling blacklist does not help.</p>
<p>Thanks for the article as well. I am not sure what the best solution is to manage passwords but I feel relatively safe using KeePass. On my computer, I use an autotype feature accessed with a keyboard shortcut. There is no manipulation of the DOM whatsoever, just keyboard strokes. On my phone, I currently have to copy passwords to the clipboard and I feel quite uneasy doing this. The AutoFill feature feels like a good feature to me as it is native, though I am not tech-savvy enough to say if it’s using the Webview trusted UI or if it is interacting with the DOM. However, I know that the password is filled only after an explicit interaction with KeePassDC so I feel the risk of a password leak is somehow limited.</p>
<p>Cookie “pinning” as I suggested in issue <a class="issue tracker-2 status-1 priority-10 priority-highest" title="Feature: Add the ability to keep cookies linked to domain setting when exiting (New)" href="https://redmine.stoutner.com/issues/245">#245</a> (<a class="external" href="https://redmine.stoutner.com/issues/245">https://redmine.stoutner.com/issues/245</a>) would be a good alternative I guess, as I only interact with less than 10 logged-in websites on a weekly basis, but still, I believe AutoFill would be a great way to improve the process of logging into a website.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20452021-06-08T16:28:29ZSoren Stoutnersoren@stoutner.com
<ul></ul><p>I use KeePass as well, although a different app. However, I feel that integrating a password manager with a web browser is a privacy and security liability, and I am unlikely to spend any time trying to make it work with Privacy Browser.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20462021-06-08T16:58:25ZJB Hétier
<ul></ul><p>I understand, it’s ok.<br />Just to be curious, what is your workflow? Do you copy-paste?</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20472021-06-08T21:11:27ZSoren Stoutnersoren@stoutner.com
<ul></ul><p>Copy and paste has significant security and privacy concerns as well.</p>
<p>My workflow is as follows on both desktop and mobile.</p>
<p>1. My browser never saves cookies or any login information.<br />2. I use passphrases instead of passwords. Basically the passwords are sentences. The passphrases are usually something that is easy to remember relating to the website in question. So, for Google, it might be something along the lines of "Google is on the naughty list." Think <a class="external" href="https://xkcd.com/936/">https://xkcd.com/936/</a>.<br />3. I rarely need to open my password manager. If I am visiting a website I don't use often, I open the password manager to remind myself what the password is. Then I close the password manager, go back to the website, and type the password.<br />4. For sensitive webpages that support it, I also use time-based OTP codes, which are calculated using andOTP. <a class="external" href="https://f-droid.org/en/packages/org.shadowice.flocke.andotp/">https://f-droid.org/en/packages/org.shadowice.flocke.andotp/</a></p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20482021-06-08T22:14:38ZJB Hétier
<ul></ul><p>Thanks a lot. I currently use totally random passwords. I'll consider changing that.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20782021-06-30T15:25:26ZSoren Stoutnersoren@stoutner.com
<ul></ul><p>If you haven't already, you might try enabling screenshots in the settings. I don't know if it matters, but it is possible that autofill requires that other apps be able to see Privacy Browser's screen.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=20812021-07-01T18:48:47ZJB Hétier
<ul></ul><p>Hello,<br />Thanks for the idea.<br />I played around with most settings (dark theme, top/bottom URL bar, fullscreen, etc.) without luck.<br />Strangely the autofill sometimes work. I found that having the database unlocked in KeePassDX helps but still, it's pretty random.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=33912023-10-17T07:20:18Zask low
<ul></ul><p>Same here. Bitwarden has this autofill button that overlays beside textbox. Sometimes the button appears, but mostly it doesn't. The workaround is, I switch to home, then back to browser. Then into the textbox, the button appears (which is totally weird).</p>
<p>Btw, this is not at all native android autofill functionality. This works based on the overlay mechanism, where you access your password manager & select the entry. Then bitwarden fills the text fields automatically for you.</p>
<p>As far as the keepass or other pass managers concerned, @JB is right about this. Native autofill doesn't work on PB with any pass managers. I've tested Bitwarden, ProtonPass & KeepassDX without success. Strangely, all of them work on other browsers such as FOSS browser, Lightning, Mullvad, etc.</p>
<p>And <a class="user active user-mention" href="https://redmine.stoutner.com/users/5">@Soren Stoutner</a>, <a class="issue tracker-1 status-5 priority-4 priority-low2 closed" title="Bug: Autofill not working (Closed)" href="https://redmine.stoutner.com/issues/1094">#1094</a> is a duplicate of this. You should reopen this issue & close that one.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=33922023-10-17T07:43:39Zask low
<ul></ul><p><a class="user active user-mention" href="https://redmine.stoutner.com/users/5">@Soren Stoutner</a> Btw, my opinion is, that the passphrases are no different than passwords (randomized alphanumeric symbols with 16+ chars), unless you also implement some form of cipher methods on them, such as symmetric cipher, substitution, etc.</p>
<p>And it's also a hazzle to remember all the phrases and manual cryptographic ciphers you apply on them. Caz we are humans & we forget stuff, which is way more unsecure if a service has no recovery methods. You'll end up deadlocking yourself. You also can't store recovery codes & TOTPs, so there's no escape for a pass manager, if you wanna be secure. The best way is to maintain a password database, & remember only one master phrase where you can note it down physically somewhere or remember it permanently.</p>
<p>This'll be further complicated in the future with quantum computing access & we're gonna use quantum safe pass managers by then.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=33932023-10-17T18:18:08ZSoren Stoutnersoren@stoutner.com
<ul><li><strong>Tracker</strong> changed from <i>Feature</i> to <i>Bug</i></li><li><strong>Subject</strong> changed from <i>AutoFill issues when using a password manager</i> to <i>AutoFill not working when targeting recent versions of Android</i></li><li><strong>Status</strong> changed from <i>Closed</i> to <i>New</i></li><li><strong>Priority</strong> changed from <i>3.x</i> to <i>Next Release</i></li></ul><p>Yes, this looks like it aligns with when Android broke autofill on WebView by default. I will close <a class="issue tracker-1 status-5 priority-4 priority-low2 closed" title="Status: Closed" href="https://redmine.stoutner.com/issues/1094">Bug #1094: Autofill not working</a> and look at the issue here.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=34312023-10-21T21:01:16ZSoren Stoutnersoren@stoutner.com
<ul></ul><p>After thinking deeply about this for several days, I have decided that it is a really good thing that autofill no longer works with Privacy Browser's WebViews. See <a class="issue tracker-1 status-5 priority-4 priority-low2 closed" title="Status: Closed" href="https://redmine.stoutner.com/issues/723">Bug #723: Connects to content-autofill.googleapis.com when tapping on an input field</a> for a discussion about how a malicious or malfunctioning autofill provider can use the integration to exfiltrate a user's browsing history.</p>
<p>I wrote a lengthy blog post on the subject at:</p>
<p><a class="external" href="https://www.stoutner.com/privacy-browser-and-password-managers/">https://www.stoutner.com/privacy-browser-and-password-managers/</a></p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=34332023-10-21T21:01:47ZSoren Stoutnersoren@stoutner.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=34352023-10-21T22:04:42Zask low
<ul></ul><p>For me, Bitwarden works fine. It uses overlay method instead of autofilling. Welp, if autofill not working makes it more secure, I'm all for it. Don't fix it.</p> Privacy Browser Android - Bug #736: AutoFill not working when targeting recent versions of Androidhttps://redmine.stoutner.com/issues/736?journal_id=34372023-10-21T22:35:52ZSoren Stoutnersoren@stoutner.com
<ul></ul><p>I would consider any method of overly to be far too compromised from a security or privacy perspective to every be an acceptable integration with Privacy Browser.</p>