Response to TeamSIK report on KEY
A report came out this week from research group TeamSIK stating it had found weaknesses in all nine password managers it tested back in August 2016. F-Secure KEY was mentioned in this list as having one weakness in its Android version. F-Secure fixed this and an update was made available to users from the 1st September.
We wish to assure our customers that the flaw could only be exploited in a very specific circumstance. That being, they had the Android version of the product between the 22nd April and 1st September 2016, their device had been lost or stolen and the thief rooted the device. The thief would then be able to access the master password. This weakness could not be exploited remotely.
F-Secure is not aware of any customers being compromised by this weakness. Any users who feel they could have been affected can change their passwords to avoid further problems.
It is true that all software contains bugs, as no code is perfect. To this end, F-Secure has a Vulnerability Reward Program (a.k.a. bug bounty program) for experts to alert us to vulnerabilities they find. TeamSIK participated in this program and was issued a monetary reward. We extend our thanks TeamSIK for its vigilance.