![]() ![]() Imagine a scenario where their backup server gets breached, and the only thing standing between the attacker and your most sensitive media is 10,000 rounds of PBKDF2-SHA1. The patch notes clearly state that the separate ‘cloud password’ is never backed up to their server, but even without the password I would have a lot of questions about how strong of a KDF is being used on the password, what are the minimum password strength requirements, etc.This is not a reflection on PPV itself (I have no knowledge of the developer), but I have seen enough abhorrent things with other vault apps with this type of offering to default to alarm bells. I will say that non-CloudKit (iCloud) based storage for an app like this, for me, is on its own reason enough to exercise extreme caution.These opinions are based on generalized concepts that would apply to any vault app with such a feature. Full disclosure: I have not investigated this feature as of yet.There is now a ‘cloud backup’ option available (for a fee). Also having an option for custom alphanumeric would be nice to see. Still, having any cap on the length at all seems unnecessary.Instead of having a known length (4 digit) PIN (keyspace of 10^4), we now have any length from 4-8, e.g. 4 digit numeric keyspaces, even ones with a reasonably strong KDF backing them, are pretty much always going to be susceptible to bruteforce. This is a long overdue increase of security for the app.Numeric passcodes can now be *up to* 8 digits long. It does add extra steps though, and falls more in line with what some of the larger apps are doing (e.g. From a security perspective, this doesn’t change things a whole lot because of the fact that you still only need 1 key (the SQLCipher key) to get to the database. ![]() Formerly, once you had derived the ‘media key’, you were good to go for decrypting all data if you knew the structure of the cryptographic media container.Media items are now protected using a unique key per item. This is a solid security upgrade to PPV as previously one could glean a lot of information about what the encrypted media might be by simply looking at the database (and observing things like album titles). ![]() Despite this, it is fully compatible with SQLCipher viewing tools like DB Browser for SQLCipher.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |