Android Password Store September release

Continuing with this new-ish tradition we have going, here are the detailed release notes for the v1.12.0 release.

Multiple important announcements at the end of the page, make sure to read the whole thing!

New features#

Extend Autofill support to more browsers#

Devin J. Pohly and Rounak Dutta collectively contributed support for 3 new Chromium-based browsers: Bromite, Ungoogled Chromium and Kiwi.

Allow sorting by recently used#

This feature was requested a while ago and was implemented by Alex Molinares early in the cycle. The database that keeps track of the recently used passwords is always active, so if and when you switch to this sorting mode you’ll see everything already sorted based on your old usage patterns. Neat!

Add ability to view Git commit log#

Another, even older feature request has finally been addressed. This too, came from an external contributor and was one of the best pull requests I have ever seen. It’s a great feature, and I thoroughly enjoyed the entire process of its inclusion.

SSH key generation and handling improvements#

The old SSH key generation has been scrapped and rewritten to use a set of safer cryptographic curve options that span the distance between widely supported and very secure. The wiki page has been updated for these changes with information on how we’re securing access to the actual SSH keys, like storing the key file in the Android Keystore and requiring screen lock authentication before the key can be used.

Fallback authentication for SSH#

SSH servers are often configured to have multiple authentication methods, where you first attempt to authenticate with private keys and if that fails, fall back to passwords. This wasn’t previously supported in APS, which would quit after the first failure. We’ve changed that to now offer the option of entering a password if the server is configured to fall back to it.

Rewritten and redesigned onboarding flow#

In a multi-step refactoring process, the initial flow of setting up the app has been completely revamped. The internals were completely overhauled to improve stability, weed out some gnarly hacks, and make the whole thing easier to test and understand. Maintainer Aditya Wasan did a fabulous job giving the UI a facelift. It’s real pretty now ✨

Show hidden folders now also shows hidden directories#

Our old ‘Show hidden folders’ feature has now been simplified to show all hidden files and folders in the repository. It is intended to make it easier to perform trivial maintenance tasks that would normally require access to a PC.

Bugfixes#

SSH connection problems with Bitbucket#

In our last major release, we included a change to re-use SSH connections to speed up Git operations. This had an unfortunate side effect: Bitbucket users were unable to use SSH to connect to their repositories. Atlassian has been aware of this problem for quite some time now and did nothing about it, so we now include a helpful message and an internal workaround when this particular type of error is encountered.

While still potentially finicky, we’re now confident that this is ready to be shipped to all users without the risk of crashes.

Assorted UX improvements#

As always, there are a handful of Quality of Life changes to make the app more enjoyable to use:

  • When retrying password authentication, the option to see what you’re typing would be obscured by the error icon for wrong password. This has been remedied, and the error state will now be cleared as soon as you enter anything into the password field.
  • Authentication modes will now be dynamically hidden and shown based on the URL’s schema so you’re aware of what methods you have for authentication for any given remote repository.
  • Since decryption can sometimes take a couple seconds due to how OpenKeychain works, we now hide the action buttons at the top of the screen until the decrypt operation has completed since using the buttons before that can leave the app in an odd state.
  • Users will be prompted if they need to provide a username in their URLs. For example, if your repository is at https://github.com/john.doe/passwords, you will have to change the URL to https://john.doe@github.com/john.doe/passwords for HTTPS authentication to work.
  • If it appears that an SSH URL contains a custom port but does not specify the ssh:// schema, the user will be prompted to accept a quickfix that does it for them.
  • Pressing the save button is no longer necessary to save changes to authentication mode.
  • TOTP values might sometimes be outdated because we always wait 30 seconds to generate a new one. Now the app will calculate the time left before the first generated value goes stale, generate a new one once it does, and then resume the 30 second cycle.

There’s definitely more fixes here, but we ended up rewriting, breaking and fixing so many things for this release that it’s hard to tell what was actually broken in the previous release and what is just us fixing regressions during refactoring. We’ve been busy :)

Important announcements#

Autofill parser is now a standalone library!#

Our excellent Autofill capabilities are now bundled as a separate Android library and can be used by other password managers to improve their Autofill experiences. Detailed documentation will be coming over the next few days, keep an eye out here if it’s something you’re interested in.

RFC for removal of Git support in external repos#

Based on the issues raised in the repository and the support emails I’ve received, the maintainers have come to the conclusion that nearly all users who choose to store their pass repositories in their device storage or external SD card as opposed to the app’s private, hidden directory are not users of Git and rely on solutions like Syncthing and Nextcloud to keep the repository in sync with their other devices.

As such, we are now in the process of removing Git support from these repositories. We’ve carefully evaluated how we want to do this, and have started with removing the ability to clone repositories to public storage in this release. If this doesn’t blow up in our faces, we will be completing the transition in v1.13.0. If you believe the change adversely affects your usage of the app, we wanna know! Drop a comment on GitHub and we will do our best to either propose an alternative for your use case or entirely scrap our plans if we discover that our initial inferences were misguided.

You can sponsor me through GitHub to support this blog, my work on Password Store and all my other open source projects.

Articles from blogs I follow around the net

What's in a Rainbow table?

In Veronica Mars and password hashes, from my new Tech As Seen On TV series, we've explored "cracking passwords" using brute-force methods, and then using rainbow tables, which was much, much faster.

via fasterthanli.me October 28, 2020

Peeking at command-line ANSI escape sequences

Command-line programs use color to convey additional information and to look pretty. For example, compare the output of ls with and without the --color flag:

via October 28, 2020

Usage of SharedFlow

onCreate With the 1.4 Update, kotlin coroutines brought us a lot of features and improvements. One of them was the introduction of SharedFlow. Basically, what I would like to call it, is simply a “Single Event StateFlow”. Remember single event LiveData wo…

via Coroutinedispatchers' blog October 27, 2020

Generated by openring