Security
ℹ️
Valid from version 1.x.x
Security Documentation for the Apps
This documentation describes the security measures implemented in the apps to protect user passwords, external service authentication, and backups.
User Passwords
-
User passwords are hashed with Argon2id to ensure secure storage and protection against brute-force attacks.
-
If configured on the device, the user can alternatively log in with Windows Hello.
-
On Android, biometric authentication is used instead.
Storage of Passwords and Secrets
-
Passwords and secrets for external services (e.g., database credentials) are encrypted and stored using the Windows Data Protection API (DPAPI).
-
This data is only accessible to the current Windows user.
-
On Android, SecureStorage is used for this purpose.
Backups
- All settings, as well as passwords and secrets for external services, are stored in a JSON file.
- This file is encrypted with AES-256 GCM to ensure data confidentiality and integrity.
- Only authorized users with the correct key can decrypt the backup.
First App Launch
- When the app is launched for the first time, default users are created with predefined passwords:
- Admin Users: Default password is
admin - Regular Users: Default password is
user - It is strongly recommended to change these passwords after the first login.