I know you'll tell me it's safe and that it's "encrypted end to end" But how can I be confident that the program does not store passwords and encryption keys and keep them in the database after sharing them?
As you know there was a major incident related to this particular point and sensitive user data was seized due to it being saved and not deleted.
I have just open-sourced the code that deals with persistence of data locally on the phone. All sensitive data is stored in encrypted form. The encryption key never leaves the device because it is stored in Secure Enclave. This is necessary so that the data doesn't leak through iOS / Android recovery backups.
https://github.com/entelecheia-inc/ios-excerptshttps://github.com/entelecheia-inc/android-excerptsOf course these excerpts do not guarantee that I call these functions consistently, but it will give you an indication of what is going on.
Also, I blank the screen when the app is swiped, so that iOS/Android doesn't grab in the optimization screenshot displayed sensitive text.
@NotATether: I am sending you a PM about arranging the code review.