0XPassword app for iPhone and iPad

4.8 ( 9568 ratings )

Utilities
Developer: 家祎董

Free

Current version: 1.1.0, last update: 3 months ago
First release : 05 Jul 2024
App size: 50.15 Mb

Safety Instructions
Security

No Internet Connection for Data: 0XPassword does not connect to the internet and lacks a central server. There is no risk of data interception during transmission or data leaks from a server.

Local Data Encryption: The data stored locally in 0XPassword is protected by dual encryption using AES-GCM-256 and AES-CFB-128. Your data cannot be decrypted.

Key Derivation with Argon2: 0XPassword uses Argon2 for key derivation, ensuring your key cannot be guessed and is resistant to various attacks.

256-bit Key Protection: The key used by 0XPassword is derived from your unlock password using complex algorithms and Argon2, resulting in a unique key even if the same unlock password is set again.

Transparency

Open Source Foundation: 0XPassword is developed on open-source standards, allowing anyone with the necessary skills to investigate and verify its security.

Open Data Format: 0XPassword uses SQLite for local data storage.

Trusted Encryption Algorithms: 0XPassword employs well-established AES-GCM-256 and AES-CFB-128 encryption algorithms.

Secure Storage of Private Data: Information related to the decryption key is stored in the devices keychain, making it inaccessible to others.

Public Data Encryption Process

Local Data Caching: 0XPassword encrypts local cache data using AES-CFB-128. The process of generating the local cache key (key1) is as follows:

Upon first startup, a 36-character string (U1) is randomly generated, such as b5729ae8-3573-40f4-9b19-6c14f900ema5, which is then concatenated with a current timestamp to form a unique value (U2), ensuring randomness for each user and device.

This unique value (U2) undergoes a hash() algorithm, producing a 32-byte string, for example, 2dd7e056c8b......cc0f2d8e5b, which is stored in the system keychain.

This hashed value undergoes obfuscation and Argon2 derivation, resulting in a 16-byte key (key1). This process ensures the randomness and security of key1, making it impossible for an attacker to derive key1 even if the hashed value from the keychain is obtained.

Dual Key Derivation for Secret Key Generation:

Setting Unlock Password: During initial data creation, 0XPassword requires you to set a password. The secure creation process is as follows:

If your password is 123456, 0XPassword appends a randomly generated 14-character string, such as abcdefghighkil, resulting in 123456abcdefghighkil.

This combined password is then processed with the Argon2 algorithm to derive a 32-byte string (p1), such as e0391cfb51......01f74c34b.

This string (p1) is stored in the local cache file for password validation. Even a simple 6-digit password will result in a complex string through derivation, preventing reverse engineering of the original password.

Secret Key Generation:

0XPassword generates a random 14-character string as salt and uses the previously derived password (p1) with Argon2 to derive SK0.

SK0 is then obfuscated, resulting in a 32-byte key (SK1), which is stored in the encrypted local cache.

During encryption/decryption, 0XPassword derives the SecretKey from SK1 using the Argon2 algorithm in memory.

Encrypting Sensitive Data:

0XPassword encrypts your stored information, such as bank and password data, using the AES-GCM-256 algorithm, which is stored in the local SQLite database.

The key used for AES-GCM-256 encryption is the derived SecretKey.

Even if an attacker obtains the local SQLite database or the cached SK1, they cannot read your sensitive data, as the decryption key (SecretKey) is derived in memory in real-time.

In conclusion, 0XPassword is highly secure. Remember, "Nobody but you can view your data, nobody at all!"