seeming difference with android app

's Avatar

andy

07 Nov, 2015 10:02 PM

Hi,

I have been using the app for some time on my android phone on android version 4.4.4 on my Nexus 4. I have just received a new phone (wileyfox storm) which runs a Cyanogen OS - 12.1-YOG4PAS3MG - which is Android 5.1.1 based.

I now find on the new fone passwords are being generated that differ from the version on my old phone and my linux terminal based implementation.

I have checked several times and I dont seem to be typing in anything different. I have tried using my old phone and get the passwords I expected.

Is this a known issue?

Best Regards,

Andy

  1. Support Staff 1 Posted by Maarten Billemo... on 07 Nov, 2015 11:40 PM

    Maarten Billemont's Avatar

    Hey Andy. Can you reproduce the problem with a test user and/or a test master password? If so, please specify the test user name, master password, site name and resulting password on various platforms.

  2. 2 Posted by andy on 08 Nov, 2015 12:48 PM

    andy's Avatar

    Hi Maarten,

    I have tested as follows:

    User: New Test User

    Password: new test user password

    Site: google.com

    Resulting passwords:

    Terminal C Code Version - Linux Mint 14 Maya: Jifn3*NalzSemi
    Nexus 4 Android 4.4.4: Jifn3*NalzSemi
    Wileyfox Cyanogen OS - 12.1-YOG4PAS3MG -Android 5.1.1: BetqDoqiPeqv4=

    I have done it a few times to make sure the results are consistent each
    time.

  3. 3 Posted by andy on 11 Nov, 2015 09:01 PM

    andy's Avatar

    Hi Maarten,

    Just to let you know I tried this on a friends Sony Experia with
    Android 5.1.1 running and it returns the results I was expecting so it
    seems to be specific to the Cyanogen somehow.....

  4. Support Staff 4 Posted by Maarten Billemo... on 12 Nov, 2015 01:18 AM

    Maarten Billemont's Avatar

    Hey Andy,

    If you have ADB installed, can you try running:

    echo c_.l_.m_.MasterKeyV{0..3} | xargs -n1 -I{} adb shell setprop log.tag.{} VERBOSE
    adb logcat -s c_.l_.m_.MasterKeyV{0..3}:VERBOSE
    

    And then trying the above again to see if you can get some details about the key and password generation of the test site's password on the Cyanogen device?

  5. 5 Posted by andy on 13 Nov, 2015 09:17 AM

    andy's Avatar

    HI Maarten,

    I have tried to use ABD to the phone but I am having problems with the
    device not being connected. I set up the UDEV etc. I will and start over
    during the weekend with luck.

  6. 6 Posted by oli_0x72 on 20 Nov, 2015 09:42 AM

    oli_0x72's Avatar

    Hi Maarten, hi Andy,

    as I encountered the same Issue with my new LG G4 I built the app from source and did some debugging. Compared to an emulator (from android-sdk) everything was exactly the same (masterpassword, masterKeySalt, etc) but the generated masterKeys were different. Obviously the scrypt call returns unequal values for equal parameters.

    Spontaneously I suppose either the different Android version (5.0 vs 5.1) or the different architecture (x86 vs arm_x64) to cause the bug in scrypt.

    Greetings
    Oliver

  7. 7 Posted by andy on 20 Nov, 2015 11:30 AM

    andy's Avatar

    Thanks for this Oliver, I have not had time to try this further... I'm
    clearly not doing something right to get my phone to connect to ADB.

  8. 8 Posted by oli_0x72 on 20 Nov, 2015 01:21 PM

    oli_0x72's Avatar

    Did another test with an Android 5.1 emulator and it works as expected. Unfortunately I did not get the 64bit emulator to work... Therefor I saved the logs this time

  9. Support Staff 9 Posted by Maarten Billemo... on 10 Dec, 2015 01:45 PM

    Maarten Billemont's Avatar

    It appears your LG is triggering a bug in the scrypt library.

    I'm not sure when I'll have time to debug wg's libscrypt, though. For your reference, it is here: https://github.com/wg/scrypt

  10. 10 Posted by oli_0x72 on 11 Dec, 2015 08:09 PM

    oli_0x72's Avatar

    I had a few minutes today and had a closer look at wg's libscrypt. As you probably know it distinguishes three different loaders (sys, jar and nil).
    Sysloader which is used by default leads to mentioned behavior.
    JarLoader throws an Exception and
    NilLoader with its Java implementation returns the expected key though it takes almost a minute to derive the key.

    In case you my need a helping hand investigating this issue feel free to contact me and I'll see what I can do

  11. 11 Posted by oli_0x72 on 12 Dec, 2015 11:26 PM

    oli_0x72's Avatar

    just another short notice: removing the arm64-v8a libscrypt.so leads to the app calculating the right passwords - so bug might be in that library

  12. 12 Posted by Mazinger Péter on 22 Dec, 2015 02:33 PM

    Mazinger Péter's Avatar

    I have the same issue on a Sony Xperia Z5 Compact, Android 5.1.1 (current official release)
    The web/desktop versions deliver the same result, android not.
    Note: the Username I tested with contains a "special" character 'é'

  13. 13 Posted by Dirk on 02 Jan, 2016 05:30 PM

    Dirk's Avatar

    ... same problem here - web and jar versions create the same passwords while android (5.0.2) does not. TEST (user=test, masterpassword=test, site=test) should generate: CefoTiciJuba7@

    regards
    Dirk

  14. 14 Posted by Dirk on 02 Jan, 2016 07:31 PM

    Dirk's Avatar

    Hi all,
    I just tested folloing app on Android: https://play.google.com/store/apps/details?id=de.devland.masterpassword

    This generated same passwords than web and Java Versions on my PC!

    regards
    Dirk

  15. 15 Posted by Andy Wilson on 02 Jan, 2016 08:49 PM

    Andy Wilson's Avatar

    Having seen this I too have experimented with this app implementation and the results are consistent with the PC and java versions I have installed.

  16. 16 Posted by oli_0x72 on 03 Jan, 2016 11:59 PM

    oli_0x72's Avatar

    Had a look at this app and its source some time ago - it's using its own custom libscrypt.so and therefore doesn't have this issue.

  17. 17 Posted by Jinwoo Lee on 16 Feb, 2016 04:54 AM

    Jinwoo Lee's Avatar

    Seeing this issue on my new Nexus 5x. On my previous phone (Moto X), everything worked fine, but now on my Nexus 5x, all the passwords are different from what I see on my Mac.

  18. 18 Posted by oli_0x72 on 19 Feb, 2016 01:08 PM

    oli_0x72's Avatar

    Hey Jinwoo,
    your Nexus 5x has the same 64bit CPU as the LG G4 I own. As I pointed out earlier there's a bug in the 64bit Library Maarten ships with his app. So you have to wait until he will release a new version with a fixed library or get yourself another app.
    regards Oliver

  19. Support Staff 19 Posted by Maarten Billemo... on 20 Feb, 2016 11:22 PM

    Maarten Billemont's Avatar

    I've been working on a work-around in the mean time. I'll let you know when something becomes available.

  20. Support Staff 20 Posted by Maarten Billemo... on 21 Feb, 2016 04:22 PM

    Maarten Billemont's Avatar

    Can people here give this version a try and report back?

    https://ssl.masterpasswordapp.com/masterpassword-android-2.4-java.apk

    On the bottom, there is a new button "Integrity Tests". From this screen, we run the standard Master Password test suite. If you get unexpected passwords, these tests should fail.

    If so, see if disabling "Use native key derivation" helps. The toggle is on the bottom of the tests screen. Note: It will likely make key derivation extremely slow. Key derivation is only needed when the user's name or master password changes (or the app restarts).

  21. 21 Posted by Jinwoo Lee on 22 Feb, 2016 07:25 PM

    Jinwoo Lee's Avatar

    I tested using the apk you linked above. When the "Use native key derivation" checkbox checked, the test immediately fails, saying "Incompatible device or OS". With the checkbox unchecked, the progress is extremely slow indeed but it eventually seemed to have passed. When I came back to the screen after ~2 hours, the test window has gone. I don't know why. But I verified all the tests were passing until it had been running for ~30 minutes.

  22. 22 Posted by oli_0x72 on 23 Feb, 2016 04:46 PM

    oli_0x72's Avatar

    I can verify Jinwoos experience - it was exactly the same: with native fail; without extremely slow (test took about 70 min) but all tests were successful. Additionally I removed the arm64-v8a libscrypt to provoke the usage of the armeabi-v7a library and with it the native key derivation test were successful too (about 60s)

  23. 23 Posted by ThisGuy on 09 Aug, 2016 06:14 PM

    ThisGuy's Avatar

    I started using your tool today and ran into a problem.
    Win8 64bit and Android 6 give me the same passwords,
    Win10 64bit on the other hand, does not.

    I'll get back to you soon with test data and java versions.

  24. 24 Posted by Eugen on 12 Oct, 2016 07:40 PM

    Eugen's Avatar

    Hello,

    I ran into this problem with my new phone as well.

    Was this issue resolved? Is it possible to get an older version of MasterPasswordApp and try it with that one?

    Thanks in advance.

  25. Maarten Billemont closed this discussion on 06 May, 2017 12:59 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

15 Nov, 2017 01:51 AM
21 Oct, 2017 05:17 PM
18 Oct, 2017 08:29 PM
17 Oct, 2017 02:59 AM
02 Oct, 2017 11:56 PM