KeePass Recommendation for Android

I was just wondering if there were any specific reasons for recommending KeePassDX and not Keepass2Android?

The main difference that stands out to me is that Keepass2Android supports copying your database’s key file to its “app-specific storage” which prevents other apps from accessing it, whereas KeePassDX does not support this, nor do they intend to, with the plan of leaving this feature to a third party app (which does not exist AFAIK, or a secondary app which they appear to have abandoned).

As it stands now, if I were to use KeePassDX, I have to keep my database key on my shared storage, so any app with storage permissions is able to read it.

edit because this post was flagged as spam: I am not trying to promote one app over the other, just wanted to discuss the technical merits since I consider the mentioned feature to have a significant impact on security, as having a key file significantly reduces the required complexity of your password, and having a key file stored with your database negates the benefit of having one if an attacker with the capability to access your database can also grab your key file with the same capabilities.

I think that the developer’s explanation here provides valid reasoning behind the decision:

I don’t think that the idea of developing FileSync has been abandoned. I think it’s a matter of time and prioritizing work that actually pays the bills.

I think that KeePassDX being an editor and sticking to what it does best is a solid strategy for the app, and I don’t see the reason for changing the recommendation to KeePass2Android (last updated on the Play Store on Jan 12, 2022), which, at least for the network enabled version requests a lot of seemingly weird/unnecessary permissions:

I haven’t been able to find a reason for why a password manager app would require access to one’s contacts or why it would declare the phone permission. There might be a valid reason for both, but I’d much rather go with the app that requests the least.

Now, of course, there’s the “nonet” version of KeePass2Android which doesn’t request as many permissions. The issue is that it’s currently not even installable (at least not from GitHub releases). I tried it and was able to confirm the following:

The “nonet” version of the app, which was last updated on the Play Store on Apr 17, 2021, requests these permissions:

Better, but does it really need all of these storage permissions? It’s unclear to me whether it could forgo those and instead use SAF like KeePassDX does.

The network-enabled version targets SDK 30, which according to Play Store policies (unless something’s changed) means that no update can be published to the Play Store unless the SDK is bumped up to at least 31.

The “nonet” version currently targets SDK 29, meaning that it currently also cannot push an update to the Play Store without bumping that app’s targetSdk to at least 31.

Contrast that to KeePassDX’s active, yet deliberate development and its much more minimal (and thus more maintainable) approach, I think it’s by far the better choice and I would encourage you to pick it over other alternatives.

With all of that said, I understand why you may not want to have your KeePass database “exposed” to other apps to which you’ve given storage permissions, regarding which I have a few thoughts:

  1. If you use GrapheneOS, I recommend taking advantage of the Storage Scopes feature to choose which directories apps have access to even if they request broad storage permissions.
  2. If you don’t, you can use an app that the developer of KeePassDX mentioned in their reply that I linked above: GitHub - 2bllw8/anemo: Local private storage for Android (To be clear, I have not looked into and don’t necessarily endorse this app, but it’s a starting point for your research).
  3. And lastly, although I understand this is not always possible, you should only grant permissions that provide access to your data to apps you trust.

I hope this helps!


The dev explains them all here and the justifications make sense, although they may be able to update them to finer grained permissions now, but I haven’t kept up with android development in recent years (it’s in docs/ in their Github repo, for some reason I cannot post links to Github anymore)

I’ve been using keepass2android for nearly a decade, although I do admit it is starting to show it’s age, KeePassDX is under more active development and has a more polished interface and smoother interactions. I was merely curious if there were any other technical merits I may have missed.

To be more specific, I don’t care if my database is exposed at all, I need to sync and back it up it afterall. It is the key file I use to unlock it (combined with password) which I want to keep isolated from everything else.

This sounds like a neat feature, however I stopped using custom roms ages ago, and prefer the simplicity and security of stock android on my pixel phone, privacy from Google is of low priority for me personally.

Thanks! This is exactly the type of app I’ve been looking for, and may consider looking into it at some point if I have time, depending on how the development of both apps continues.