Proton Pass password manager apps released as open source
Proton announced today that its password manager Proton Pass is now open source and that the apps have been audited for security.
Proton announced its password manager Proton Pass in April 2023 and released the first stable version of it at the end of June 2023.
Son Nguyen, the founder of SimpleLogin, which Proton acquired some time ago, has been working on Proton Pass since the acquisition. Nguyen notes that the open source release of all Proton Pass applications gives all users and third-parties the opportunity to analyze the code.
He writes: "Given the sensitive information you protect with your password manager, it’s crucial that you know exactly what’s happening inside it. Because Proton Pass is open source, anyone can inspect our code and ensure that the apps work as described."
The source code of the Android and iOS applications, as well as the source code of all official Proton Pass browser extensions is now available.
Interested developers and users find the Proton Pass source code repositories here:
Independent Security Audit of Proton Pass
At the same time, Proton announced that it has asked Cure53, a German company known for security audits, to audit the Proton Pass applications independently. The audit covered all Proton Pass applications, the Proton Pass browser extensions, and the Proton API.
Proton published the Cure53 Proton Pass report here. The audit was the first conducted and Cure53 notes that did not detect many issues. The researchers did find a security issue, which they rated high, which could result in a "potential leakage of user-credentials".
Proton addressed all but one of the issues mentioned in the report. The last standing issue can't be resolved at this time according to Proton, as the solution is caused by a "platform limitation in Android".
Cure53 posted the following conclusion: "Cure53 can conclude that the Proton Pass apps and components leave a rather positive impression in terms of security. Even though there are multiple areas, which require some more attention and work, it is hoped that fixing all ten issues spotted during this May-June 2023 project will elevate the already existing resilience against a multitude of severe attacks and threats.".
Closing Words
Proton addressed the security issues swiftly, except for the platform-specific issue that it claims can't be fixed at the time. The release of the password manager's applications and extensions as open source and the first security audit should strengthen trust in the solution further.
Proton Pass is a cloud-based password manager that utilizes Proton's infrastructure.
Now You: what is your favorite password manager currently?
Keeper Security is my favorite but Proton is a close second..
The last standing issue can’t be resolved at this time according to Proton. The problem is Google.
Google is not always the villain. All I saw in the report mentioning Google Chrome was when the vault is locked using a PIN:
“Steps to reproduce:
1. Ensure Google Chrome is used and the Proton Pass extension is installed.
2. Add PIN lock in the settings and lock the extension.
3. Go to chrome://extensions/ and open Devtools of the service worker.
4. Click on the Memory tab on the appearing DevTools window.
5. Click on Take snapshot.
6. Press CTRL+F and type any username or password stored in the Proton Pass
extension after the snapshot has been created.
7. Observe that the password is identifiable in the memory.
To mitigate this vulnerability, one should ensure that the Proton Pass extension is closed
after the lock, so that the memory is sufficiently cleared”
In other words, there is an issue but it is negated if the Proton extension is closed after the lock. To me, that seems to be totally avoidable. Use a passphrase, not a PIN.
You are correct about Proton’s fine reputation, but at the moment their password manager is extremely rudimentary and certain functions can only be accomplished with an extension in a desktop browser. Not ideal for many people who use mainly mobile devices.
I like Bitwarden, but “Proton Pass apps and components leave a rather positive impression in terms of security.”
Whether to change?
Hmmm . . .