Our personal finance software: a note about security

You’ve probably read articles in the media about phishing scams, malware, hacking and other bad things which can happen when using PC or mobile software. So we wanted to take a moment to talk about the security of our personal finance software Jabp4 for PC/Mac/Linux and JabpLite4 for Android.

The first thing to say is that both our applications were designed to work completely offline. Neither app connects directly to the internet and so neither is able to download or to upload any of your data. There are now many other personal finance programs which do connect to third-party websites, either their own servers or various financial institutions. While this is for legitimate reasons (eg. synchronising your data across multiple devices or importing data from your bank), it does require that you trust those applications 100 percent. You trust not only that they aren’t misusing your data but also that the sensitive information that they store on your behalf is properly protected. We’ve all read about various high profile and serious data leaks, so this is not a trivial concern.  As we said, with our apps all your data stays on your device and doesn’t get shared with any third-party.

There is one small qualification to the preceding statements. We do offer the ability to backup and transfer data between Jabp4 and JabpLite4 via Dropbox. This is completely optional and is disabled by default. Why did we decide to use Dropbox, rather than building our own sync/transfer functions? Two reasons. Firstly, Dropbox is rather good at synchronisation – it is their core business. Secondly, you’d probably be happier with your data sitting on Dropbox’s servers than on Freepoc’s servers! Again, no backups to Dropbox happen unless you explicitly turn on this feature in the Preferences settings.  If you do turn on this feature, all uploads and downloads are done using the Dropbox app itself, completely separate from either Jabp4 or JabpLite4.

Now a few words about how your data are protected on your devices. We recommend that you set a password when using both Jabp4 and JabpLite4. If you do set a password, then your data are encrypted when using Jabp4 on a PC, Mac or Linux. The data are not accessible without the password, so don’t forget it! Even if you sent your data files to Freepoc, we would have no way to access or retrieve your data. On Android, your data are held in a secure sandbox that’s not accessible except via the JabpLite4 app with a password. So again, don’t forget the password! A recently-added feature on our Android app also allows fingerprint authentication to be used.

When using the Backup Data option in either app, the backup data are stored password-protected but not encrypted. For additional security, you can turn on encryption in the Preferences settings. Once again, if your backup file is encrypted and you forget your password, not even Freepoc developers can restore your data.

In summary: 

  1. Jabp4 and JabpLite4 have no ability to connect to the internet.
  2. If you trust Dropbox, Jabp4 and JabpLite4 can use the Dropbox app for synchronisation and backup. This is turned off by default.
  3. Jabp4 and JabpLite4 data files are securely protected on your devices, provided you set a password.
  4. For additional security, you can also encrypt backup files in both apps using the Preferences settings.

(Note: we will be adding this text to the distribution zips for both applications)