Sharing passwords between PC & phone via a QR code app - is this safe?

gk7ncklxlts99w1

I use an app called Decoder to generate QR codes from text to share passwords from my PC to my phone.

The app in question is installed through flatpak, and using Flatseal I control the permissions further. Though the defaults are good enough. It has no network access but it has access to IPC and Wayland.

Are there any glaring security issues with doing this?

My understanding would be that, as long as flatpak's sandboxing works and flatseals permissions are in place, and the app isn't malicious, it should be fine. On the mobile end of things, I use GrapheneOS's default camera app using the QR code function. I have no reason to believe anything is saved on my phone once I close the camera app.

nandohyphen1

gk7ncklxlts99w1 I think it would be OK. This is actually a really neat idea - and something I didn't think about for easily sharing passwords.

gk7ncklxlts99w1

nandohyphen1

Oh it's super convenient. My only problem is making it go the other way. My only camera is a GoPro, it's quite old, and didn't really work, the camera was flipped so the QR code didn't work. I think it's an issue with the Decoder app. And strangely there aren't any QR code apps for Linux that I could find that aren't shit.

Also I feel like it's the most secure way to transfer passwords. It's ephemeral as far as I know. It's not like putting passwords in some cloud note taking app, which leaves a trace.

mmobder

nandohyphen1 I recommend "QR Share" for cloudless text info sharing (avail on f-droid, hasn't yet verified it for small binary), source/target device don't have to "see" each other via radio (no bt, no wifi)
I assume it may be combined with OpenKeyChain or alike if you want to add encryption.

nandohyphen1

gk7ncklxlts99w1 on a side note, for sharing passwords (or basically any kind of text) between devices this app is super cool!
https://f-droid.org/packages/info.guardianproject.pixelknot
It is out of date (hasn't been updated in 4 years), but I really enjoy it.

gk7ncklxlts99w1

nandohyphen1

Yeah I wouldn't trust that. Steganography is a method of obscurity, not security. While obscurity is a valid layer of defense when used alongside other security protocols, alone it is useless, even if the app's developer says it is resistant to some attacks...4 years ago. And that app definitely leaves a trace. If you're sending those images through regular SMS then you may as well write a sticky note on your forehead and bring it everywhere with you. Maybe in this analogy, the writing is a little smudged.

nandohyphen1

gk7ncklxlts99w1 interesting. I didn't know that. I've only used it for sharing (non important, non confidential) messages, mainly just for fun. My thought was that it could work for passwords, but yeah, not sure I'd want to use it for that after all.

nandohyphen1

mmobder this is cool. Thanks!