I have been using Bitwarden on my phone and laptop computer. I just got a Google Pixel and flashed GrapheneOS. It occurred to me that Bitwarden is not in the main F-Droid repository, but its own repo, which presents the following problem that puts the reliability of the app as a password manager in question:
According to my understanding of F-Droid’s security model, application file integrity is principally assured through metadata signing (including hashes and developer keys) being contingent upon the full reproducibility of builds. There is therefore apparently nothing physically preventing Bitwarden from shipping some malicious version, either on an individual basis or rolling out back-doored versions to all users. There is no independent authority overseeing the process, unlike for apps in the F-Droid repository.
Is there a password manager that actively focusses on build reproducibility?
Edit: would also be nice if it’s an app not prone to sync conflicts - unlike Keepass clients via file sync.
Proton Pass seemed promising with their builds being in the F-Droid repo. However, there is less assurance with regard to their browser extension builds.
And apparently those cloud password managers aren’t so secure after all.
Maybe I should surrender convenience in favour of security. It’s not an insurmountable hassle to transfer Keepass databases back-and-forth between the computer and phone.
If you don’t trust developer, you can’t use the service at all. What is preventing BW from serving you a malicious login page, selling their server data, or even storing it in plaintext. You can’t verify that at all.
Reproducible builds are a way to ensure secure distribution channels, not sandbox against having to trust the dev. Reproducible builds mean fdroid and other stores have not added something malicious to it, not the original dev.
Also fdroid building stuff does not mean they can save you from anything. Their build system just scans for most popular issues, but a dedicated dev can easily fool them.
I now use keepass secured with password and hardware key, then store the common database file on a encrypted storage online. This prevents sync conflicts if you are looking for tips, since I just download the file, edit, then reupload and delete the original from the storage.
Or you can use a cloud based service like BW or Proton Pass.
Bitwarden and Proton Pass do indeed have end-to-end encryption. So if the builds can be verified, then there should not be much threat beyond flaws arising from a genuine lack of foresight in the apps’ development.
You’re likely right about Keepass databases being the most secure.
Reproducible builds only help verify that the source code corresponds to the build of the app. It does not significantly reduce trust in the developers, whether malicious, incompetent, or otherwise. If you must obtain an app from F-droid, it is better to get it directly from the developers’ own repo.
The big difference becomes availability since local solutions do not handle backups, merging, and version control as well (if at all) as cloud-based solutions. Therefore, for most people, cloud-based offerings probably make the most sense.