Password managers like Padlock are different from most other applications in that they deal with personal and sensitive data and therefore require a significant level of trust from their users and have to be held to a much higher standard when it comes to security and privacy. We believe that the best foundation for trust is transparency which is one of the reasons why we’re so strongly committed to the idea of Open Source. We greatly appreciate the faith our users put into our intentions and skills but we we also want to encourage people to be sceptical and to be able to convince themselves of the security and integrity of our application.
However, while it is theoretically possible for anyone to inspect our source code, only very few people actually have the knowledge and experience required to assess the security of an application. This is why we’re happy to announce that we’ve been working with the Open Technology Fund and the security experts at cure53 to identify and eliminate possible vulnerabilities and further strengthen the security of the app! Earlier this year, Mario Heiderich and his team performed a full penetration test on Padlock for iOS, Android and Google Chrome as well as the online storage service Padlock Cloud. During their tests, they managed to identify a series of non-critical but important security vulnerabilities and risks which we’ve since been able to fix. The full report is available for download here. Our notes on the report outlining the concrete steps taken to mitigate the identified issues can be found here.