Leaderboard

I understand that you do not wish to open-source your product, but I am reluctant to use it because of the fact it is closed-source, the company is based in India (yes, this matters) and there is no information about the development team. Have you considered having an independent 3rd-party audit your source-code on a regular basis as a way to gain credibility without open-sourcing your product? Thanks, Gili

Hi @thelonelyghost, Thanks for writing in. You're facing this problem due to the known bug and our dev team is working on it. Meanwhile, please make Google Chrome as a default browser and sync. Thanks.

Hi @HK Office, Thanks for writing in. Yes! Enpass 6 for the iOS platform is already in the testing phase but at the moment I can't assure you any ETA. Cheers!

I think one thing that would help at the VERY least, is to provide some insightful details about the types of cryptography going on here, and how it's handling that. Something LastPass also does is they provide reasonable levels of details about what they do, where it does it, and what algorithms are being used.\ For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used? I personally like the concept of Enpass. I'd like to know a little more what's under the hood of its design from a security standpoint. A lot of people can say, they use military grade AES-256 encryption, but HOW they implement it could completely break it in a snap. Some people here pointed out the country of origin. To me that is mostly immaterial. What is more important is security itself, and the fact is: Security Is Hard, as Steve Gibson himself always says on his podcast show, SecurityNow. Take a look at how LastPass describes what they do for security from a technical point of view: https://lastpass.com/whylastpass_technology.php

Hi @Thomas Was Alone, We would plan for the Security Audit after the Next major release i.e. Enpass 6 as that would have a fat list of features worthy enough for security audit. Please bear with us.

Hello, everybody! I truly understand your concern for a software holding critcal information and not being open sourced or audited by any credible third party agency. Well guys, thanks for all your comments and we've decided to get third party audit of Enpass. But all we need is just some more time as after the upcoming release of Attachments (beta is already there), we'll work on some key features like multiple-vaults with a need of refactoring the core engine, and I think that would be that best time to go for audit, all at once. Till then, please bear with us and all I ask for is your co-operation. Cheers!

+1 It's funny to hear that ensuring that your cryptographic product is in fact secure is not worth the effort. Other apps come to mind: Signal, Telegram, Veracrypt. All cross-platform, all frequently updated, all audited. Oh, and they're all free.

+1 If you choose not to share the source, its sorta up to you to pay some third party to review the code with NDA. And as Gili said, no one expects reoccuring audits. Its mostly, or at least about customers needing to know that you've implemented cryptography in a acceptable way and of course that there are no additional ways in to a running process of Enpass.

Hemant, Thank you for your response. I don't think anyone is expecting frequent audits. Once a year or every 3 years should be enough. As to the cost... that's the cost of doing business. The primary reason I skipped over this product was because it was both close-sourced and unaudited. Otherwise, I would have purchased a copy. Gili

At least an answer please? AFAIK "Security of our data is your utmost priority." We have questions and thoughts, yet there is not even an answer from the maintainers. This itself means a serious security concern.

I totally agree! That would boost up your reputation!