Security & Privacy

  • Has Strongbox been audited for security?

    Short answer: No. Longer Answer: The database formats supported by Strongbox have been audited, and the source code for Strongbox is available freely online. An audit on Strongbox source code has never been done, though it would be great to have that done, Strongbox is an independently develope...
  • How can I trust that Strongbox is not sending my passwords elsewhere or stealing them?

    The only 100% sure-fire way would be for you to read the code, understand it, compile it, and deploy it. Along with this you also need to trust all of the dependencies and libraries that Strongbox uses. There is no another way for you to avoid having some trust of some part of the process and dep...
  • How does Strongbox securely store confidential information (e.g. Master Passwords, SFTP/WebDAV Credentials)? Is it secure?

    Strongbox often needs to store sensitive/confidential user secrets to offer useful features like convenience unlock, SFTP or WebDAV connections. What are these secrets, confidential or secure items? Master Passwords (required if you use Face ID, Touch ID, PIN Code or Apple Watch Unlock) SFTP Cr...
  • How do I select a good master password?

    A vital and important question. There are varying opinions on this, but one of the best guides around can be found here: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ The weak link in the security chain with Strongbox is always going to be the master passwor...
  • How secure is FaceID / TouchID?

    While Touch/Face ID is very convenient, it is not a perfect system for protecting your passwords. It is provided for convenience only. It is within the realm of possibilities that someone with access to your device and your fingerprint or photo, can produce a good enough fake to fool Apple’s syst...
  • What information is shared with Cloud Providers (e.g. Google Drive) by Strongbox?

    This is up to the cloud provider and how they define the interaction of third party apps with their storage API. In brief this is likely to include your email address or account username, the name of the third party app (in this case Strongbox) and probably data like the current date/time and IP ...
  • What possible network connections can Strongbox make?

    The following are the possible network connections that Strongbox can make which may be seen if you monitor network traffic while using the features described below. Apple App Store (Mandatory) Strongbox makes requests to Apple for two reasons. In App Purchase pricing and purchase/restore trans...
  • What type of cryptography does Strongbox use?

    Strongbox implements many cryptography algorithms. For Password Safe based files use TwoFish in CBC Mode, SHA256 and RFC2104 HMAC. This is all put together following the Password Safe design which you can learn more about here: https://en.wikipedia.org/wiki/Password_Safe For KeePass based files...