Privacy Browser Android

Looking at the screenshots you posted, I would guess that, at a minimum, you would need to enable JavaScript, maybe enable DOM storage, and possible disable some of the blocklists for the password manager to integrate with the WebView.

Along those lines, I would recommend you read the following URL regarding the negative security and privacy implications of integrating a password manager with a web browser: https://lock.cmpxchg8b.com/passmgrs.html

Thanks for the feedback.

Unfortunately, enabling DOM storage and disabling blacklist does not help.

Thanks for the article as well. I am not sure what the best solution is to manage passwords but I feel relatively safe using KeePass. On my computer, I use an autotype feature accessed with a keyboard shortcut. There is no manipulation of the DOM whatsoever, just keyboard strokes. On my phone, I currently have to copy passwords to the clipboard and I feel quite uneasy doing this. The AutoFill feature feels like a good feature to me as it is native, though I am not tech-savvy enough to say if it’s using the Webview trusted UI or if it is interacting with the DOM. However, I know that the password is filled only after an explicit interaction with KeePassDC so I feel the risk of a password leak is somehow limited.

Cookie “pinning” as I suggested in issue #245 (https://redmine.stoutner.com/issues/245) would be a good alternative I guess, as I only interact with less than 10 logged-in websites on a weekly basis, but still, I believe AutoFill would be a great way to improve the process of logging into a website.

I use KeePass as well, although a different app. However, I feel that integrating a password manager with a web browser is a privacy and security liability, and I am unlikely to spend any time trying to make it work with Privacy Browser.

I understand, it’s ok.
Just to be curious, what is your workflow? Do you copy-paste?

Copy and paste has significant security and privacy concerns as well.

My workflow is as follows on both desktop and mobile.

1. My browser never saves cookies or any login information.
2. I use passphrases instead of passwords. Basically the passwords are sentences. The passphrases are usually something that is easy to remember relating to the website in question. So, for Google, it might be something along the lines of "Google is on the naughty list." Think https://xkcd.com/936/.
3. I rarely need to open my password manager. If I am visiting a website I don't use often, I open the password manager to remind myself what the password is. Then I close the password manager, go back to the website, and type the password.
4. For sensitive webpages that support it, I also use time-based OTP codes, which are calculated using andOTP. https://f-droid.org/en/packages/org.shadowice.flocke.andotp/

Thanks a lot. I currently use totally random passwords. I'll consider changing that.

If you haven't already, you might try enabling screenshots in the settings. I don't know if it matters, but it is possible that autofill requires that other apps be able to see Privacy Browser's screen.

Hello,
Thanks for the idea.
I played around with most settings (dark theme, top/bottom URL bar, fullscreen, etc.) without luck.
Strangely the autofill sometimes work. I found that having the database unlocked in KeePassDX helps but still, it's pretty random.

Same here. Bitwarden has this autofill button that overlays beside textbox. Sometimes the button appears, but mostly it doesn't. The workaround is, I switch to home, then back to browser. Then into the textbox, the button appears (which is totally weird).

Btw, this is not at all native android autofill functionality. This works based on the overlay mechanism, where you access your password manager & select the entry. Then bitwarden fills the text fields automatically for you.

As far as the keepass or other pass managers concerned, @JB is right about this. Native autofill doesn't work on PB with any pass managers. I've tested Bitwarden, ProtonPass & KeepassDX without success. Strangely, all of them work on other browsers such as FOSS browser, Lightning, Mullvad, etc.

And @Soren Stoutner, #1094 is a duplicate of this. You should reopen this issue & close that one.

@Soren Stoutner Btw, my opinion is, that the passphrases are no different than passwords (randomized alphanumeric symbols with 16+ chars), unless you also implement some form of cipher methods on them, such as symmetric cipher, substitution, etc.

And it's also a hazzle to remember all the phrases and manual cryptographic ciphers you apply on them. Caz we are humans & we forget stuff, which is way more unsecure if a service has no recovery methods. You'll end up deadlocking yourself. You also can't store recovery codes & TOTPs, so there's no escape for a pass manager, if you wanna be secure. The best way is to maintain a password database, & remember only one master phrase where you can note it down physically somewhere or remember it permanently.

This'll be further complicated in the future with quantum computing access & we're gonna use quantum safe pass managers by then.

After thinking deeply about this for several days, I have decided that it is a really good thing that autofill no longer works with Privacy Browser's WebViews. See Bug #723: Connects to content-autofill.googleapis.com when tapping on an input field for a discussion about how a malicious or malfunctioning autofill provider can use the integration to exfiltrate a user's browsing history.

I wrote a lengthy blog post on the subject at:

https://www.stoutner.com/privacy-browser-and-password-managers/

For me, Bitwarden works fine. It uses overlay method instead of autofilling. Welp, if autofill not working makes it more secure, I'm all for it. Don't fix it.

I would consider any method of overly to be far too compromised from a security or privacy perspective to every be an acceptable integration with Privacy Browser.