Keepass2Android Review

Keepass2Android (K2A) is an open souse port of the excellent KeePass password manager for Windows to the Android platform.

Our Score
4 / 5
Free option
Available
Visit Keepass2Android

Advantages

There are a number of KeePass ports for Android. Most of these are open source and can open and manipulate regular KeePass files. I use K2A because:

  1. It has much better Android integration than other Keepass ports.  Or, indeed, than most commercials products we have reviewed.
  2. It does not rely on Android’s insecure clipboard function to work. Both of these advantages are related to K2A's custom keyboard feature (see below).

Disadvantages

The main downside of K2A is that it is only available via the Google Play Store, and is therefore updated via Google Play Services. This means that, in theory, Google could slip malicious code into an update at any time.

We are comfortable with the trade-off between this risk and the advantages listed above. For anyone who is wary of Google, I recommend using either KeePass DX or KeePass Droid instead.

Both of these apps are available from F-Droid and mitigate the clipboard problem with a clipboard timeout. This is not as secure as K2A keyboard solution but does minimize the problem.

The K2A Keyboard

Most Android password managers (including most KeePass ports) work using Android’s built-in clipboard function. This allows you to copy and paste usernames and passwords from an opened KeePass database to the app or webpage where they are needed.

“Many [password] apps completely ignore the problem of clipboard sniffing, meaning that there is no cleanup of the clipboard after credentials have been copied into it. [...] We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using 'hidden phishing' attacks.”

K2A solves this problem by providing its own keyboard. This can directly access the KeePass database and enter usernames and passwords into forms without the need to store data on Android’s clipboard. 

The keyboard is also good for Android integration, as it works with all apps.  There is no need for any form of custom integration or browser add-on. It can be installed alongside other keyboards, can be easily swapped in and out with other keyboards.

We find the K2A keyboard a little basic for day-to-day use as an Android keyboard. It features no text prediction, for example, no personalized auto-correct, or fancy swipe-input.

Keepass keyboard 

But this is not necessarily a bad thing. These features can be a serious privacy risk. The K2A keyboard, on the other hand, is completely self-contained and sends no information to anyone.

However, we are comfortable sacrificing a little privacy for convenience, and therefore only use the K2A keyboard for entering passwords. Sorry, but I am just lazy! For the seriously privacy-conscious, however, the K2A keyboard would make a great daily driver.

Cloud Syncing KeePass Files

It is easy to securely sync passwords across devices using any cloud service. This includes the likes of Dropbox and Google Drive. Before you object, I am well aware that services such as this are a privacy nightmare. The thing is, though, that it doesn’t matter.

Each .kbdx file is encrypted by yourself using rock-solid encryption. By default, K2A uses an AES-256 cipher with SHA-256 hash authentication. This is very secure, but even stronger options are available. 

The only way to access the file is using a master password which should be known only to yourself. So pick a good one! There is also the option to further improve security by requiring that a key file (created by yourself) be present when opening the .kbdx file. 

In other words, no-one is going to open a properly secured .kbdx file, no matter how publically it is stored. 

The truly paranoid, however, can store a .kbdx file locally on their Android devices and manually synchronize it with .kdbx files stored on other devices using a USB cable or suchlike. If you do not plan on using K2A's online syncing features then you can use install the offline-only Keepass2Android Offline instead.

Passwords are synced online whenever you save changes to the database. This because all your KeePass programs on all your devices can access the .kbdx file.

Using K2A

Setting up and opening a K2A database

Please note that K2A's security policy no longer permits screenshots to be taken of open databases. In order to illustrate how KeePass2Android works, I have therefore used some screenshots from Google Play Store.

Install Keepass2Android Password Safe from the Google Play store. The only required privileges are:

  • SD Card access
  • Internet access (install K2A Offline if you don't want to grant this privilege)
  • Vibrate

When you first open K2A you have the option to either open an existing KeePass database (.kbdx file) or create a new one.

Keepass2android file

If opening an existing .kbdx file, KeePass2Android supports a wide selection of popular cloud services, plus various self-hosting solutions (including local storage). Simply sign-in to your chosen service/personal solution if necessary, and browse to your stored .kbdx file.

Link Keepass2Android with third party apps

Alternatively, you can create a new KeePass database. By default, this uses an AES-265 cipher, but you can change this to a ChaCha20 or Twofish-256. Key derivation used is AES-KDF with 500000 encryption rounds by default, but can be changed to Argon2 if you prefer. 

You can also create a key file to improve security. This file must be present for the database to be opened. This file should not be stored online. You should instead store copies of it locally on any device you want to open the .kbdx file with (or for the really paranoid, carry a single copy of it around with you on a USB stuck or suchlike).

For more information on creating a KeePass database, please see my full KeePass Review.

keepass2android master password

Once a .kbdx has file has been located or created, you can open it in two or three ways:

  1. Password unlock – simply enter the full password or passphrase you created when setting up the database.
  2. Quick unlock (optional) – if a database has already been opened using its full password/passphrase, then it can be quickly reopened using just the last few letters of the password/passphrase (three by default). This is, of course, not as secure as using the full password each time. But it is very convenient.
  3. Fingerprint unlock (optional). If your device has a fingerprint scanner, then you can use it to unlock a .kbdx file. This replaces the need to enter either the full password or just the Quick unlock password.

In all cases, the key file must be present if the .kbdx database requires one.

The database

Passwords can be organized into groups.

Keepass2Android demo data base screenshot

You can create new passwords, inspect, and edit password details. 

Keepass2Android sample entry

Android Integration

You can cut-and-paste usernames and the passwords from the database, but as discussed earlier, this not very secure. The problem is mitigated by a clipboard timeout (default 5 minutes, but this can be changed), but it is also rather cumbersome. 

Where KeePass2Android is miles ahead of its rivals, however, is in its Android integration. 

The Android Autofill Service

As of Android 8.0 Oreo, K2A can integrate with the new Android Autofill Service. In theory, this automatically offers to fill in usernames and passwords wherever you encounter them on your device – whether in your browser on in apps.

Using Keepass2Android with autofill

In practice, support remains a little patchy at this time. Google Chrome, for example, which offers its own password a manager, stubbornly refuses to play the game. The feature works flawlessly in many apps, however, and I have found it a godsend when signing into accounts using the Firefox for Android browser.

When it works (which is most of the time and is particularly useful in Firefox) the Android Autofill Service makes using K2A ridiculously easy. 

Keyboard Input

For users of older devices and for when apps won't adopt the Android Autofill Service, the main way K2A integrates with Android is via its keyboard. This is installed alongside the main app, and can be hot-swapped with your regular keyboard if desired. It is the most secure way to input credentials and is fairly convenient. It also works with any password field in any app.

On my Samsung phone it is dead easy to switch between keyboards once they have been installed.

Keepass2Android change keyboard

To enter usernames and passwords into any web page or Android app, select the keyboard’s special KeePass icon. This brings up the option to select an entry from your KeePass database or let K2A try to Search for the correct one for you.

I must admit that I find the search function to be a very hit and miss, so usually just opt to select an entry myself. If the .kbdx database is not already open, then you will need to open it using one of the methods outlined above.

Keepass2Android user log in

Once the correct entry is found or selected, K2A enters autofill mode. Simply select the correct entry field and choose either User or Password and the keyboard will enter the information. Easy!

 ProtonMail login screen

You can switch back to the conventional keyboard by touching the ABC button. 

Browser integration

As already noted, K2A is insanely easy to use on newer phones in browsers which support the Android Autofill Service. Even without this, however, it works quite smoothly in any browser.

On a web page with a login, simply use your browser’s Share feature to share with K2A. 

KeePass2Android browser integration

Unlock your KeePass database, and K2A should already have found the correct entry(s). I find searching for entries in this way to be more effective than using the keyboard search function. 

You still need to use K2A keyboard in autofill mode to enter the details unless you have the KeyboardSwap for K2A plugin installed and correctly configured.

Conclusion

Thanks to its open-source end-to-end nature, KeePass is the only password manager I really recommend*. KeePass2Android is a great port of it. It is fully compatible with regular KeePass 2.x database files, syncs across devices seamlessly, and integrates far better with Android than any other KeePass port I have tired. 

Its reliance on Google Play Services is a drawback, and it would be great to see an F-Droid version of the app. In my view, however, this issue is compensated for by the extra security afforded by the dedicated keyboard input method.

*Since writing this review I also recommend the open-source Bitwarden password manager. 

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

13 Comments

Brad
on May 25, 2022
Reply
A very well done article. Helpful, inforative, thorough. I look forward to seeing more from you.
To y
on April 5, 2022
Reply
Can you explain why the title used for the search engines adds in that it's a 2022 review when in fact this is 2 yrs old i.e, 2020? There are also some issues with your review of the use directions. Such as the keyboard for actually using it to type in text. That was not it's point. It's there to use the icon to fill text fields. Yes you can of course use it to type but it not the main use and it certainly was never meant to be the default keyboard to use for Android. The correct use is as follows: When you are in a text field, you can use the Android icon in the notification bar to switch to the KP2A keyboard. Hit the KP2A key (padlock icon) to select an icon. After it's selected, hit the KP2A key again to enter the desired field. You never actually use the keyboard to enter text but possibly entering text in profiles in KP2A. Further on the autofill native function for use in achieve and chrome based browsers there is a plug-in. Just go to plug-ins in the KP2A settings>plug-ins scroll to the autofill plug-ins and follow the instructions to install. Further there is a work flow for websites without autofill functionality. KP2A keyboard press the KP2A icon key and t g e kb tray will open. Just choose the field names in the tray you want it to fill on the webpage. You can also choose the share button in the browser toolbar.. Then choose KP2A app icon and the same tray will open. The above is not needed if you install the autofill plug-ins but still is yet another way again without ever using C&P or the actual qwerk keyboard. As to your recommendation to use Bitwarden while yes it's open source it's also a server hosted browsers integrated PWM by a for profit company. Yes you can technically self host the server backend but that's not exactly easy. Further the by far largest issue is that it has masterpassword recovery. That means Bitwarden company thru the server back end has access to your masterpassword. This is the same as last password one if the security flaws. For any password manager or any other encryption the login decryption pass code should only be found in your memory or in somewhere only you control. In the case of Bitwarden and Last Pass The companies have access and the password absolutely sits on the server as you can send a recover email and they will send it to you . You can also get it with a hint. These are both serious security flaws passed off as features. If you can get those do you not think LE or hackers can not get them. The hint system caused the hijacking of more email accounts Tha any other single bug or feature. Your passcode on any encryption software should never reside in the software where it can be retrieved. KP2A KeePass2 all are cross compatible and cover all use cases open source and have no complicated server backends. Offer countless plugins and your password is not stored in any form anywhere in tge software. Password managers are THE ULTIMATE gatekeepers. They must offer the absolute highest security. The password should only ever be in your direct control and never in the software. Ideally it should be only committed to memory. People can recall entire sound lyrics. Memorize countless phone numbers. Recall hundreds of stats to play gamble in fantasy sports. Even a 20-30 character passcode should be simple if someone actually cares about their electronic security given it can hold all the access to well everythin. Not to mention you gave the option of shorter pass code with a key file and yubikey with top function.
Imprescindibles replied to To y
on September 22, 2022
Reply
TOY I love you. > Can you explain why the title used for the search engines adds in that it's a 2022 review when in fact this is 2 yrs old i.e, 2020?  ... You killed it. (Meaning... yourninformation reminded me of research I did yeqrs ago on why I chose Keepass... and... I'll leave it at that for now. You made me smile. Three times now. My Gratitudes and Respect.
Sven
on August 24, 2020
Reply
Hi there, yes, windows and iOS are indeed a nightmare, regarding security and trust. Now, putting handcuffs on Android is as lovely as can be. You might want to have a look at Netguard, of course open source , and available in F-Droid . Bloat ware, hidden system apps, all under control. Blacklisted. Personally, I use the white list method.
Danish
on May 9, 2020
Reply
Got all the info I came for Thanks
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: