alt text

Reproduction of post as reported on the Yubikey developer forum

We have developed an encrypted contact manager and password manager for Android. It is a secure alternative to many of the cloud-based solutions, but without the cloud. Key technologies are an AES-256 encrypted SQLite database and NanoHttpd tiny web server. Security details:

The app is in final stages of beta and quite usable, but we felt it needed stronger user authentication, enter YubiKey NEO. On Android NFC devices, tap the NEO to the back and access is granted. The app uses the default Yubico OTP settings for slot 1. For the web app (on your LAN only), we use the YubiKey static password in slot 2.

We need help in two areas. First is testing on a variety of Android devices and YubiKeys. The number of Android NFC capable devices is growing rapidly and differences in NFC implementation are anticipated.

The second area is in the security concept. The app design calls for a standalone solution, without dependency on Internet resources. This makes OTP and U2F validation an issue. We currently acquire the serial number from two NEO sources, from the NFC adapter and from decoding part of the OTP. This is not the best solution but perhaps good enough until a complete OTP validation can be accomplished. The app will recognize two unique NEO keys allowing for a backup key. The web app uses a simple static password, this can also be supplied by NEO.

Your testing, feedback, and thoughts are appreciated, thanks in advance!