Keeper’s engineering team prioritizes the security and privacy of our customers over all feature and functionality decisions in our application. Our company policy has a strict zero-knowledge and no-data-leakage policy and everything we create adheres to these protocols.
Recently, a team of researchers posted a report about vulnerabilities and bugs in various Android password management apps. First of all, I think TeamSIK did a great job. They clearly spent significant time and performed an intense and technical analysis of the applications on the Android platform. Both of the reported issues were quickly resolved and published.
The issues reported about Keeper (SIK-2016-025 and SIK-2016-026) were not vulnerabilities, but in fact just bugs, which is why they classified them as “medium” risk. I have addressed this distinction with TeamSIK since both issues were “low” risk due to the reasons described below:
- Attacker must have physical access to the device and;
- Attacker must bypass the device lock screen or fingerprint and;
- The app must be running in the background in an active state (where the auto-logout timer set by the user hasn’t activated yet) and;
- The device must have a USB cable plugged into a computer and authorized by the device and;
- The user’s two-factor device must be accessible from the same device and;
- The attacker must have access to the user’s email account on the same device.
The foregoing was an extremely unlikely scenario. No customers were affected by this issue and moreover, no data leakage was ever at risk.
Thank you for staying protected with Keeper.