Risks with iOS app?

Chasim

After a lot of researching, I settled on using Boxcryptor for encrypting some files to upload to OneDrive. I am pretty comfortable with how it works on my Windows PC. However, I also installed the iOS app and it does give me a couple of security and privacy concerns.

First, I understand that the Boxcryptor app must be given access to OneDrive, but the setup also involved granting permission to access OneDrive as a whole, as the warning/permission mentioned even contacts. To what extent can Boxcryptor access OneDrive (which is tied to my entire Microsoft account, including e-mail)?

Second, to what extent are files made vulnerable by the iOS app cache? As I understand it, unencrypted files are cached for use by other apps? In my case, since I will not use the Boxcryptor app frequently, I log in, use the app, then log out completely (which I might not do if there was an app PIN). Does that minimize the risk of unencrypted files being obtained by someone who gets access to my device?

Thanks!

Robert

Hello,

The current version of Boxcryptor for iOS is requesting the following permissions for OneDrive to properly work:

wl.basic
wl.offline_access
wl.signin
wl.skydrive_update

You can find a detailed description of these permissions here:
https://msdn.microsoft.com/en-US/library/dn631845.aspx

The primary goal of Boxcryptor is to secure your files when they are stored at your cloud storage provider - not necessary to secure them on your devices. There exist a variety of tools and options to achieve this (e.g. device or hard disk encryption, device passcode, etc.). When you open an encrypted file in Boxcryptor, the file is decrypted and a plaintext copy is stored in the app's container in the file system of your iOS device.

This "cache" is only cleared when you unlink the device (Settings -> Account -> Unlink this iPhone/iPad/iPod) or if you manually clear the cache (Settings -> Cache -> Clear Cache). Logging out does not clear these plaintext copies.

In order to minimize the risk when somebody gets access to your iOS device, please follow best practices to secure your device (e.g. setting up a passcode or TouchID and enable device encryption).

Best regards,
Robert

Chasim

Thank you very much for your response. I did read the description of the permissions, but am still confused as to what access the permissions give in terms of the information sent to you/Boxcryptor? Does the app send any information or does it only retrieve keys from your servers?

Robert

Hello,

The app does not send any of this information to our servers. The information retrieved from OneDrive (or other providers) is solely used within the app and not sent anywhere else. Which data is exchanged between our apps and our server is described here in our technical overview:

https://www.boxcryptor.com/en/technical-overview#anc09

Best regards,
Robert

PS: In addition to the "regular" application data, we collect some anonymized statistical data (e.g. which iOS version, etc.) which help us in our decision process (e.g. when to drop support for an old, unused iOS version). This is outlined in our privacy policy: https://www.boxcryptor.com/en/privacy-policy