Developer Documentation to write Plugins

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantie, robyn, JoeSiegrist

Developer Documentation to write Plugins

Postby Mecki » Tue Mar 03, 2009 7:09 am

MacOS X stores a lot of passwords in its Keychain. In theory one could use LastPass to also synchronize this store across multiple computers. What would be necessary for that? A tool for Mac that can export the Keychain Content to LastPass's storage and re-import passwords back from there.

As a long time Mac programmer, I'm quite familiar with the Keychain API (I hate it like hell, because it's ugly like hell, but I know it very well, have been using it thousand of times). Am I'm willing to offer help. What I'm missing is a developer documentation that explains detailed enough how an application could access the LastPass vault and that could read passwords from there as well as writing passwords to it.

I'm very interested in writing such a tool. I think all passwords could be easily synchronized that way across multiple Macs. I'd be giving out such a tool for free. I'm also willing to share the source code with you, if you like. However without a developer documentation I had to reverse engineer all the information of the JS code, which is possible, but hard work.

I'm also thinking about an offline version you can save onto mobile phones written in Java, so you can take your whole vault with you wherever you go encrypted on your mobile phone. Again, I need a developer documentation for that. It would be great if you can also create "sites" on the phone and sync these back to the vault (e.g. if you must create a password while away of any computer).

So here's another offer: If you provide me with the necessary information in any format of your choice, I'm also willing to help writing a developer documentation for you which I will be donating to this great project for free, so you can put it online on your web page.

So free help is available for you guys, just contact me about it and I will do my best to help you out where I can. If you want to schedule a live chat or similar, just let me know (I have MSN, ICQ, AIM, Skype). The more software there is that works with your great service, the better for the service. I want to help you making this more a community project than a 4 men show :-) This cuts your workload, working time, costs, etc.
Mecki
 
Posts: 40
Joined: Thu Feb 26, 2009 4:32 pm

Re: Developer Documentation to write Plugins

Postby Mecki » Tue Mar 31, 2009 9:00 am

Just adding some info here:

1) If you demand that apps/plugins using your service must be free (as you don't want other people earning money with your service), that is fine.

2) If you demand that you own all source of any application using your service, that is discussable (I would not oppose it on general, though some questions have to be answered first).

3) If you demand that any third party software using your service must be sold (it may not be free), possibly by yourself, and you must get a fair amount of the money earned (negotiable, e.g. 50% of the "net gain"), that is fine, too.

4) If you say third party apps can only be used with a premium membership (so you'll make money with users of third party apps in any case), and you don't care if the vendor of the third party app gives it out for free or sells it.

Don't forget, I love this service, it's great. I'm using it on three computers and finally have a way to keep the passwords in sync. I trust all three computers I use, further I only use it via the Firefox plugin on all three computers (which makes it very hard for an attacker tool, harder than if I'd just use your web site as an online service). But like every online service, it has weaknesses when on the road. I can't use it from an Internet café. The Internet café owner has full control over this computer; key loggers are my tiniest worry, thanks to OTP support. However, he can install a Firefox plugin himself to access my vault if I login to your webpage via OTP and get hold of the vault contents and the key to decrypt it directly from memory. Or he could even have a modified version of Firefox installed (it is OpenSource, what stops him from grabbing the source, modifying it, build it, and install the modified version? I will never know). He could even replace OpenSSL Library on disk with his own modified version that dumps all SSL traffic unencrypted, so not even SSL helps anything here. If you have no control over the system you are using, using your service is getting risky.

You plan a native app for iPhone and for Palm, you want to integrate the service with Windows, and BlackBerry support, etc. However, you will hardly be able to support every mobile device in the world and integrate it with every operating system/service in the world. I would like to help you here. E.g. integrating it with OS X in some way (the Keychain Service of OS X is very powerful and almost all apps use it to store/retrieve passwords, integrating LastPass into that service in some way would make it THE ONE AND ONLY password solution for all Mac OS X users) and also having a way to sync to various offline devices would be cool. E.g. going online with my mobile phone is very, very expensive. So using m.lastpass.com is no option. But having a native app for the phone that can be synced with the store every now and then means I can carry all passwords with me, no matter where I go. In that case that would be a mobile phone Java application that would not only run on my phone, but probably on 90% of all mobile phones in the world! Not that I ever wrote such a mobile phone application, but just for LastPass I'd learn how this can be done (and I'm an expert Java programmer, so it should not be too hard).
Mecki
 
Posts: 40
Joined: Thu Feb 26, 2009 4:32 pm

Re: Developer Documentation to write Plugins

Postby JoeSiegrist » Tue Mar 31, 2009 12:09 pm

We're quite interested in allowing people to extend LastPass as you've described, (and we've looked at doing KeyChain as part of 'application support' for the Mac to coincide with what we're doing on Windows). Here are our thoughts:

- We think we need to have access to all source code and be responsible for building the extension/application -- we'd want to audit the code for safety and ensure nothing happens between that audit and the build.
- The IP (intellectual property) rights are tricky: we'd want to give people incentive/credit/compensation to create these applications while still retaining our rights.
- Even more tricky for the mac we have code already that does all the authentication/hashing/encryption in a nice Objective-C format that we'd want to share with you, but we're not sure we want to open source it at this time.

Perhaps we can take this offline and work together to figure this out.... Will email you directly.

Joe
JoeSiegrist
 
Posts: 4138
Joined: Wed Aug 20, 2008 10:40 am

Re: Developer Documentation to write Plugins

Postby Mecki » Tue Mar 31, 2009 1:29 pm

JoeSiegrist wrote:- We think we need to have access to all source code and be responsible for building the extension/application -- we'd want to audit the code for safety and ensure nothing happens between that audit and the build.


Quite reasonable and good for all LP users as this will avoid they install the wrong software from the wrong people (written only for stealing their passwords). It absolutely makes sense to me from a security point of view.

- The IP (intellectual property) rights are tricky: we'd want to give people incentive/credit/compensation to create these applications while still retaining our rights.


This is not really the issue IMHO... it is just a question of picking the right license. In the worst case you'll have to write one yourself and demand that all code must be released under that license. As a software developer (that's what I do for a living) a couple of other things come to my mind: Who is going to provide support for these applications? Who is handling bug reports/feature requests? These problems are not unresolvable, but they should be answered upfront.

Regarding compensation... as long as you give the software away for free, do programmers really need compensation? Do OpenSource programmers get compensation? Compensation is also not really an issue, unless you either plan to sell the software yourself or make it a paid feature. Credits would be nice, though :-)

- Even more tricky for the mac we have code already that does all the authentication/hashing/encryption in a nice Objective-C format that we'd want to share with you, but we're not sure we want to open source it at this time.


You don't have to, you could let developers sign a NDA ;-)

On the other hand, I'm mainly interested into the exchange protocol (data exchanged between the client and your server), as well as the vault format (the data format once the data has been retrieved); everything else is not too hard, after all there is libcrypto on every Mac of the OpenSSL project (I have used it plenty of times already for hashing and encryption tasks). Even if you demand that the tool may not link against dynamic libraries at all (as these can be replaced in the system; a possible weak spot for an attack), you can build libcryto statically and link it as static library into the application. Then again... if I want to hack an Obj-C application that uses libcryto, I'd hardly replace libcryto as hacking Obj-C is much easier (ever heard of a tool named classdump?)

Perhaps we can take this offline and work together to figure this out.... Will email you directly.


I'm looking forward to your e-mail. I also have some information to share regarding OS X and Keychain that I cannot post here directly in public (now I'm still anonymous to forum readers, so I probably could, but if I help you write a tool and you credit me for it, I won't be anonymous any longer)
Mecki
 
Posts: 40
Joined: Thu Feb 26, 2009 4:32 pm

Progress?

Postby stepstone » Mon Jul 19, 2010 11:26 am

Hi!

I'm ready to start using LastPass, however, I am dependant on the ability to import Keychain passwords on OSX (or the whole point would be moot for me). Is there any info about progress on this?

Thanks!
stepstone
 
Posts: 3
Joined: Mon Jul 19, 2010 11:23 am

Re: Developer Documentation to write Plugins

Postby dalex7777 » Tue Oct 05, 2010 4:21 pm

I am curious to see what is the status of this effort. This sounds like a very practical and promising integration of two great password management tools.
dalex7777
 
Posts: 1
Joined: Tue Oct 05, 2010 4:14 pm

Re: Developer Documentation to write Plugins

Postby derricko1 » Fri Nov 05, 2010 11:56 pm

Yeah... Where are we with this? I just found out about your product and have literally spent the last few hours combing through my passwords in my vault and deleting the ones that are old, no longer work (some sites have 4 or 5 password generations) and now my vault is clean, current, and clutter free.

My keychain, however is not. Being a much less friendly interface, along with the inability to "test" old passwords and find the one that works out of multiples...My keychain is filled with all the expired, old and multiple passwords. And that's the one that syncs with mobileme and populates my other computers.

I'd love nothing more than to overwrite keychain's junky password collection with LastPass's up to date set of them.

Please tell me this has been considered.

Amazing product, by the way...

Thanks,

Derrick
derricko1
 
Posts: 1
Joined: Fri Nov 05, 2010 11:14 pm

Re: Developer Documentation to write Plugins

Postby rollinsruss » Mon Dec 13, 2010 3:53 pm

+1 for an export/import with KeyChain, this would save new Mac adopters a (potentially) significant amount of time in transcribing entries.

I'd love to recommend LastPass to a bunch of other devs on my team (all Mac users), but this is somewhat of a painful point of adoption given the tedious amount of copy-paste work (not to mention potential for error). This would help sell the idea when budgeting for company-wide/enterprise adoption.

Is there a feature/issue tracker where we could vote/comment on this?
rollinsruss
 
Posts: 1
Joined: Mon Dec 13, 2010 3:45 pm

Re: Developer Documentation to write Plugins

Postby Lars » Mon Dec 13, 2010 4:57 pm

Could you do a generic export from your KeyChain and then import that to LastPass?
Lars
 
Posts: 2154
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: Developer Documentation to write Plugins

Postby hoby » Mon Aug 22, 2011 2:24 pm

I would say this is critical for supporting any mac user who has had their computer more than a couple of weeks. I for instance have close to a thousand site passwords. On my first attempt to import via Chrome (which uses the Mac OS X Keychain) I was presented with a confirmation dialog needing a click for every single one of those thousand passwords. I don't have the patience for that so I stopped the process.

The problem is, the syncing function of LastPass is pretty much useless for me without being able to import/sync my library of credentials.
hoby
 
Posts: 1
Joined: Mon Aug 22, 2011 2:11 pm


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 6 guests