Our personal finance software: a note about security
====================================================

You've probably read articles in the media about phishing scams, malware, hacking and other bad things which can happen when using PC or mobile software. So we wanted to take a moment to talk about the security of our personal finance software Jabp4 for PC/Mac/Linux and JabpLite4 for Android.

The first thing to say is that both our applications can be used completely offline. Jabp4 and JabpLite4 do not need or request any personal information from you. Both applications can optionally connect to the internet for the purpose of downloading stock prices and foreign currency rates, but this is done anonymously (no login needed). There are now many other personal finance programs whichdo connect to third-party websites, either their own servers or various financial institutions. While this is for legitimate reasons (eg. synchronising your data across multiple devices or importing data from your bank), it does require that you trust those applications 100 percent. You trust not only that they aren't misusing your data but also that the sensitive information that they store on your behalf is properly protected. We've all read about various high profile and serious data leaks, so this is not a trivial concern. As we said, with our apps all your data stays on your device and doesn't get shared with any third-party.

There is one small qualification to the preceding statements. We do offer the ability to backup and transfer data between Jabp4 and JabpLite4 via Dropbox. This is completely optional and is disabled by default. Why did we decide to use Dropbox, rather than building our own sync/transfer functions? Two reasons. Firstly, Dropbox is rather good at synchronisation - it is their core business. Secondly, you'd probably be happier with your data sitting on Dropbox's servers than on Freepoc's servers! Again, no backups to Dropbox happen unless you explicitly turn on this feature in the Preferences settings. If you do turn on this feature, all uploads and downloads are done using the the official Dropbox API.

Now a few words about how your data are protected on your devices. We recommend that you set a password when using both Jabp4 and JabpLite4. If you do set a password, then your data are encrypted when using Jabp4 on a PC, Mac or Linux. The data are not accessible without the password, so don't forget it! Even if you sent your data files to Freepoc, we would have no way to access or retrieve your data. On Android, your data are held in a secure sandbox that's not accessible except via the JabpLite4 app with a password. So again, don't forget the password! A recently-added feature on our Android app also allows fingerprint authentication to be used.

When using the Backup Data option in either app, the backup data are stored password-protected but not encrypted. For additional security, you can turn on encryption in the Preferences settings. Once again, if your backup file is encrypted and you forget your password, not even Freepoc developers can restore your data.Note that if you have encryption enabled then your backup files will also be encrypted before being uploaded to Dropbox (if you are using the Copy to Dropbox preference).

In summary:

1. Jabp4 and JabpLite4 do not connect to the internet by default, except optionally to download stock prices and fx rates.
2. If you trust Dropbox, Jabp4 and JabpLite4 can use Dropbox for synchronisation and backup. This is turnedoff unless specifically enabled by the user in both applications.
3. Jabp4 and JabpLite4 data files are securely protected on your devices, provided you set a password.
For additional security, you can also encrypt backup files in both apps using the Preferences settings.


Malcolm Bryant & Freepoc
malcolm@freepoc.org
Last updated: 23 November 2022