Apple introduced the App Privacy section to the App Store in 2020 to give users a better idea of the privacy implications of using an App. This is to be applauded. However, it really places a burden on us developers. Strongbox is built by an Indie developer, a small (lovely!) team who love to work on it and some other ideas (keep an eye on our social media).
We do struggle with how best to describe our App fairly to Apple and all the legalese involved. As usual, the little guy doesn't really seem to fit easily into corporate form filling exercises, and we're trying to avoid getting squished in the giant power battles taking place amongst the tech titans.
Third Party Storage Providers and other Network Features
A very large proportion (the majority, we believe given our support inbox!) of our users store their secure databases on several different cloud providers (iCloud, Dropbox, Google Drive, OneDrive). We want to make Strongbox great, and so we provide fantastic native integration with these clouds. This offers superlative sync capabilities. On top of native sync for those 3rd party providers, Strongbox offers features such as the following:
- Native SFTP
- Native WebDAV
- Copy from URL support
- Native iCloud Support
- Transfer over Wi-Fi/Local Network
- Favicon Manager
- Have I Been Pwned? (HIBP) Audit Feature
As you can see all of these features are designed for networking, and can make connections outside of your device, if you choose to allow it. We think these features offer great value to our users, but all of them are opt-in optional features. To reiterate, we don't ever track our users, we oppose that on principle. We don't think a Password Manager should be tracking users, use or be involved in advertising in any fashion (especially directly in app!). However, we do allow users to connect to other websites that may or may not have amazing privacy policies.
We genuinely feel 'Data Not Collected' is the fairest App Privacy label for Strongbox. We don't believe it can be fairly said that Strongbox tracks, has any interest in tracking via 3rd party websites or otherwise. We believe users know best how and where they want to store databases and which websites they choose to access. We think that any other label would be uncharitable at best. We even go out of our way to make every one of the above features wildly clear to our users before they use them.
Checkout a screenshot of our opt-in notice that appears when a user initiates the use of a third-party storage provider:
The nitty-gritty, legalese, and Apple's App Privacy wording
We are developers, not lawyers, and small print and exceptions are difficult in any case (at least for us mortals). Apple list 4 criteria for which developers can use their discretion when making a declaration. These are (abridged):
- The data is not used for tracking purposes, meaning the data is not linked with Third-Party Data for advertising or advertising measurement purposes, or shared with a data broker.
- The data is not used for Third-Party Advertising, your Advertising or Marketing purposes.
- Collection of the data occurs only in infrequent cases that are not part of your app’s primary functionality, and which are optional for the user.
- The data is provided by the user in your app’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed...
We believe 2,3,4 are super easy slam dunks and Strongbox can easily meet these hurdles in all cases. However, item 1, gives us pause. We believe this is probably true for Strongbox users, however it is very difficult for us to ascertain exactly what any given website/provider is doing behind the scenes. For example, could it be, that when you login to OneDrive that Microsoft is using the IP address that you log in with for some kind of monitoring/security purpose? Or how about if you grab the Favicon from Strava? This is within the realm of possibility, but even here, Apple have made an exception for this, see:
The following situations are not considered tracking:
When the data broker uses the data shared with them solely for fraud detection or prevention or security purposes.
We are a small Indie developer just trying to do our best, and this situation is less than ideal for us. We do hope you'll allow us a little latitude, good will, and some understanding here. We'd really rather be coding the best Indie password manager out there! :) Of course, we're also open to interpretations, advice, and comments, and will continue to review our declarations regularly. We're certainly not wedded to our current interpretation and offer a custom built Strongbox Zero app for anyone concerned about anything contained above. We believe that's honest and fair for all concerned.