Can I Trust That Strongbox Is Not Stealing My Passwords?

The only 100% sure-fire way would be for you to read the code, understand it, compile it, and deploy it. Along with this you also need to trust all of the dependencies and libraries (e.g. libcrypto, libssl, libssh, libsodium, argon2 libraries, etc) that Strongbox uses. There is no another way for you to avoid having some trust of some part of the process and dependency stack. This would require some significant development skills. At some point you are left having to trust someone or something to some degree at a point where that’s comfortable for you.

Perhaps then, the best argument for trust comes simply from assuming a degree of self-interest on the part of Phoebe Code Limited as a business model. Strongbox has been around since 2014, and has been a commercial operation since 2017 of those years. It would just be terrible for our own commercial interest if there was ever any issue with the Strongbox and it would probably just kill it, and there goes any income for all the work that has been poured into it. A nightmare scenario for all concerned. On top of that, consider the legal ramifications of doing something nefarious. Strongbox isn't developed by some unknown random developer in a country with a dubious justice or tax system. Strongbox is developed by a fully registered UK based limited company (Phoebe Code Limited). There are full records of ownership and responsibility is easy to place. There are easier ways for indie software developers to make money, apart from to spending countless years developing an open source Password Manager in the hope it becomes successful enough that performing some criminal actions in the future is a good idea. It would also be extremely obvious if Strongbox did this. Anyone can just monitor network traffic or reverse engineer the App and spot this. All it would take is one person to notice it and the App would be toxic and unusable and Strongbox would be in severe legal trouble.

We care about this issue and we try to be as open as we can be. We have an entire FAQ dedicated to network traffic where we specifically link to tools can use to monitor Strongbox. We also enumerate the connections Strongbox can or must make. It is difficult to satisfy a question of this sort but it’s an understandable question. It is built on trust and there doesn’t seem to be any easy or simple way around this as a small independent business.

At the end of the day it’s always going to be your call whether you use Strongbox. We believe we'll all have to trust someone or something, somewhere along the line. We hope we've earned the community's trust and yours but if not we'll keep trying.