How can I trust that Strongbox is not sending my passwords elsewhere or stealing them?

The only 100% sure-fire way would be for you to read the code, understand it, compile it, and deploy it. Along with this you also need to trust all of the dependencies and libraries that Strongbox uses. There is no another way for you to avoid having some trust of some part of the process and dependency stack. This would require some significant development skills. At some point you are left having to trust someone or something to some degree at a point where that’s comfortable for you.

Perhaps the best argument comes simply from assuming a degree of self-interest on Strongbox as a business model. Strongbox has been around for about 6 years now, and has been charging for about 2 of those years. It would just be terrible for business if there was ever any issue with the Strongbox and it would probably just kill it, and there goes any income for all the work that has been poured into it. A nightmare scenario.

On top of that, it’s pretty easy for people / authorities to find the developer, me, Mark McGuill, the UK limited company (Phoebe Code Limited). There are also public LinkedIn and Github profiles. Speaking for myself personally, I live in London, I’m not a mastermind criminal, just a regular software engineer who’s side project is useful enough to other people that some of them are willing to purchase or subscribe which keeps Strongbox alive.

In short, there are easier ways for a software engineer to make money, than to spend 5 or 6 years developing an open source Password Manager in the hope it becomes successful enough that I can perform some criminal actions in the future. It would just not be a very smart move for me to steal someones confidential data and I’d be looking at some very stressful legal issues and/or probably jail.

Also it would be extremely obvious if Strongbox did this. Anyone can just monitor network traffic from the App and spot this, and all it would take is one person to notice it and the App would be toxic and unusable and Strongbox would be in severe legal trouble.

I care about this and I’m very open, I have an entire FAQ dedicated to network traffic where I specifically link to Network Proxy’s people can use to do this, along with enumerating the connections Strongbox can or must make:

In short, it is difficult to satisfy a question of this sort but it’s an understandable question. It is built on trust and there doesn’t seem to be any easy or simple way around this as a small independent business. I hope Strongbox has been earning that trust over the last few years.

At the end of the day it’s always going to be your call.