Apple introduced the App Privacy section to the App Store in 2020 to give users a better idea of the privacy implications of using an App. This is to be applauded. However, it really places a burden on us developers. Strongbox is built by an Indie developer, a small (lovely!) team who love to work on it and some other ideas (keep an eye on our social media).
Always wanting to be upfront about how Strongbox works and the privacy implications, we have a detailed privacy policy you can find here, we list all the network connections Strongbox can make here, and we even go so far as to tell advanced users how to track/monitor ongoing connections that Strongbox makes at any time. We make our code open source (here), and we have even built a super stripped-down version of our app (here) for the truly concerned users, the hardcore.
We do struggle with how best to describe our App fairly to Apple and all the legalese involved. As usual, the little guy doesn't really seem to fit easily into corporate form filling exercises, and we're trying to avoid getting squished in the giant power battles taking place amongst the tech titans.
We have never and will never track, nor want to track our users. We find the practice morally dubious at best and likely harmful to society as a whole, if not directly to the individual concerned. We don't use any analytics or advertising tools/SDKs at all in the Strongbox app. We choose to use a super privacy conscious web analytics provider for our website. If something goes wrong in app, we must ask you to send us a crash report off of your own back. If you contact us on support, we must ask you to send us the debug info from in app. We just don't have any data or want it. Of course, this can be a bit of a pain during debugging, but we feel it's the right thing to do, and makes keeping our privacy policy simpler.
Third Party Storage Providers and other Network Features
A very large proportion (the majority, we believe given our support inbox!) of our users store their secure databases on several different cloud providers (iCloud, Dropbox, Google Drive, OneDrive). We want to make Strongbox great, and so we provide fantastic native integration with these clouds. This offers superlative sync capabilities. On top of native sync for those 3rd party providers, Strongbox offers features such as the following:
- Native SFTP
- Native WebDAV
- Copy from URL support
- Native iCloud Support
- Transfer over Wi-Fi/Local Network
- Favicon Manager
- Have I Been Pwned? (HIBP) Audit Feature
As you can see all of these features are designed for networking, and can make connections outside of your device, if you choose to allow it. We think these features offer great value to our users, but all of them are opt-in optional features. To reiterate, we don't ever track our users, we oppose that on principle. We don't think a Password Manager should be tracking users, use or be involved in advertising in any fashion (especially directly in app!). However, we do allow users to connect to other websites that may or may not have amazing privacy policies.
We genuinely feel 'Data Not Collected' is the fairest App Privacy label for Strongbox. We don't believe it can be fairly said that Strongbox tracks, has any interest in tracking via 3rd party websites or otherwise. We believe users know best how and where they want to store databases and which websites they choose to access. We think that any other label would be uncharitable at best. We even go out of our way to make every one of the above features wildly clear to our users before they use them.
Checkout a screenshot of our opt-in notice that appears when a user initiates the use of a third-party storage provider:
The nitty-gritty, legalese, and Apple's App Privacy wording
We are developers, not lawyers, and small print and exceptions are difficult in any case (at least for us mortals). Apple list 4 criteria for which developers can use their discretion when making a declaration. These are (abridged):
- The data is not used for tracking purposes, meaning the data is not linked with Third-Party Data for advertising or advertising measurement purposes, or shared with a data broker.
- The data is not used for Third-Party Advertising, your Advertising or Marketing purposes.
- Collection of the data occurs only in infrequent cases that are not part of your app’s primary functionality, and which are optional for the user.
- The data is provided by the user in your app’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed...
We believe 2,3,4 are super easy slam dunks and Strongbox can easily meet these hurdles in all cases. However, item 1, gives us pause. We believe this is probably true for Strongbox users, however it is very difficult for us to ascertain exactly what any given website/provider is doing behind the scenes. For example, could it be, that when you login to OneDrive that Microsoft is using the IP address that you log in with for some kind of monitoring/security purpose? Or how about if you grab the Favicon from Strava? This is within the realm of possibility, but even here, Apple have made an exception for this, see:
The following situations are not considered tracking:
...
When the data broker uses the data shared with them solely for fraud detection or prevention or security purposes.
Summary
In summary, we want to live up to the letter and also the spirit of the App Store rules. But there's room for interpretation, and so we want to present the fairest label for our users possible. Unfortunately, the App Privacy section is a blunt instrument and puts us in a bit of a difficult spot. That's why we have this article here, a very explicit privacy policy and set of help articles concerned with privacy and security. We hope you'll agree with our choices here, but we understand your interpretation and preferences may differ. We just ask that if that's the case, that you engage with us in good faith. Unfortunately, we've suffered some rather cynical and mean spirited comments online (of course!), and hence this long winded and detailed article.
We are a small Indie developer just trying to do our best, and this situation is less than ideal for us. We do hope you'll allow us a little latitude, good will, and some understanding here. We'd really rather be coding the best Indie password manager out there! :) Of course, we're also open to interpretations, advice, and comments, and will continue to review our declarations regularly. We're certainly not wedded to our current interpretation and offer a custom built Strongbox Zero app for anyone concerned about anything contained above. We believe that's honest and fair for all concerned.