I have been using Bitwarden on my phone and laptop computer. I just got a Google Pixel and flashed GrapheneOS. It occurred to me that Bitwarden is not in the main F-Droid repository, but its own repo, which presents the following problem that puts the reliability of the app as a password manager in question:
According to my understanding of F-Droid’s security model, application file integrity is principally assured through metadata signing (including hashes and developer keys) being contingent upon the full reproducibility of builds. There is therefore apparently nothing physically preventing Bitwarden from shipping some malicious version, either on an individual basis or rolling out back-doored versions to all users. There is no independent authority overseeing the process, unlike for apps in the F-Droid repository.
Is there a password manager that actively focusses on build reproducibility?
Edit: would also be nice if it’s an app not prone to sync conflicts - unlike Keepass clients via file sync.
Proton Pass seemed promising with their builds being in the F-Droid repo. However, there is less assurance with regard to their browser extension builds.
And apparently those cloud password managers aren’t so secure after all.
Maybe I should surrender convenience in favour of security. It’s not an insurmountable hassle to transfer Keepass databases back-and-forth between the computer and phone.
Bitwarden and Proton Pass do indeed have end-to-end encryption. So if the builds can be verified, then there should not be much threat beyond flaws arising from a genuine lack of foresight in the apps’ development.
You’re likely right about Keepass databases being the most secure.
Reproducible builds only help verify that the source code corresponds to the build of the app. It does not significantly reduce trust in the developers, whether malicious, incompetent, or otherwise. If you must obtain an app from F-droid, it is better to get it directly from the developers’ own repo.
The big difference becomes availability since local solutions do not handle backups, merging, and version control as well (if at all) as cloud-based solutions. Therefore, for most people, cloud-based offerings probably make the most sense.