SamuraiSafe Design
SamuraiSafe was designed with security and simplicity as primary goals.
App Security
Every entry in a SamuraiSafe password store is separately encrypted using the AES algorithm with a 256 bit key. Passwords are distinct objects and are only decrypted when required. This reduces the availability of cleartext on a device.
Each encrypted object includes a secure hash (HMAC), so corruption of an entry or password is detected (and the impact of any such corruption is limited).
The encryption algorithms used in SamuraiSafe are published on github.
Cloud Security
SamuraiSafe can use iCloud Drive or manual iTunes sync. If you use iCloud sync, additional layers of encryption are applied by Apple while the data transits the network and whilst stored on Apple’s iCloud servers.
iCloud use is entirely optional, so you maintain control over your private information. Your encrypted password safe only resides where you permit it.
Autofill vs Clipboard
SamuraiSafe resisted adopting password autofill of web pages within the web browser, as the implementations were often vulnerable to compromise. However SamuraiSafe now adopts Apple’s AutoFill Credential Provider Extension interface which is built into iOS/iPadOS. It aims to avoid such vulnerabilities.
Importantly there is no auto in Autofill. User authentication and confirmation is always required. In addition, Apple goes to some lengths to ensure the websites or domain associated with an application are legitimate, although one can’t discount the possibility that these mechanisms may be circumvented in certain situations.
Autofill is optional, and you can still use copy/paste or drag/drop, which involves briefly storing your password or other selected data in the system clipboard. You need to paste it into the appropriate field. The clipboard is cleared automatically after a configurable timeout.
If you use drag and drop, a clipboard is also used, however it is cleared immediately when the drop is complete. There however remains the risk a malicous application could monitor the clipboard contents1.
TouchID and FaceID
Most iOS password managers allow the use of TouchID/FaceID to authenticate the user to allow opening a password safe. This requires storing credentials (either your private safe key or something based upon it) on the iOS device to allow decrypting your safe. These credentials are further encrypted and are quite secure (the private encryption keys remain within the Secure Enclave). The credentials do not leave the device — however this breaks a design principle of not storing or transmitting your private key.
Nevertheless, adding TouchID/FaceID was been a very popular request – so now we have it. SamuraiSafe enforces the policy of invalidating stored credentials if any fingerprint/faceprint is added or deleted from the device2.
Please note that TouchID has been compromised with dummy fingerprints. Also, if you jailbreak your device, you disable core protection mechanisms, and the ease of extracting private information from the running application (or one masquerading as it) becomes dramatically easier.
There is another risk of TouchID and FaceID I should mention — the risk of forgetting your SamuraiSafe safe password. The solution is to change the safe password whilst TouchID and FaceID is still working for the device. However if you restore the device, or replace it, your SamuraiSafe safe password, if not remembered or recorded elsewhere will be lost.