[App][7.0+][Early Access] Truvark - modern file encryption

Search This thread

lukaspieper

Senior Member
Nov 26, 2018
127
219
Lenovo Thinkpad Tablet
Google Pixel 3
Truvark is a modern file encryption app for Android. You might be wondering why building another vault app as there are already a lot of options. The difference is that Truvark is built around security by design and privacy by default. To proof that I take that serious, this is an offline app, it does not have/requests Android's Internet permission. Features like cloud synchronization are not compatible with the mentioned paradigms. However, that does not mean that you cannot sync or backup your data through a third-party app (on your own risk). Read more about (unique) features below.

Features​

Multiple vaults​

You can create multiple vaults on your device. Any empty folder can become a vault. All your data remains on the shared device storage, means you can access the encrypted files from a file manager e.g. for backups.

This is a major difference to alternatives. Some apps don't even encrypt your files, they just move them to the app's internal storage. These often speak about "hiding data" instead of encrypting. Others using encryption still prohibit access. You fully rely on their export feature.

Deep folder structures​

Truvark is not an encrypted gallery that just lets you group your pictures into albums. It is a file encryption app providing full support for creating folders inside folders. You are not limited in organizing your files.

View encrypted files​

The aim is to be able to view common file types in the app. Currently supported are images, videos and audio. The decryption takes place "on the fly" means the required data is decrypted in memory while needed. This is especially important for long videos that would not fit into memory. The image viewer supports high-res pictures and shows more details when zooming in instead of becoming pixelated.

Here are more differences to alternatives to spot. While I analyzed a wide range of vault apps from multimillion downloads to open source ones I found many flaws. Apps decrypting the full file to disk before showing it, scarify performance and possibly put that file on a risk. Others don't encrypt thumbnails, just the original files.

Privacy by default​

To make it short this app has no Internet permission. There are no analytics, ads, telemetry or requirements for an account. However, there is an option for logging that is turned off by default. Logging is required to be able to help any user that has an issue with my app. The user needs to provide these logs, they are not automatically sent (what is technically impossible because of the missing Internet permission).

Security by design​

Truvark is using a component (library) for encryption that is built by Google engineers and used in Google Pay. It's called Tink and has the following promise:

A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
The last part is important. In cryptography it is enough to get a single parameter wrong to make an encryption insecure. Therefor I decided to rely on a popular open source library.

Additionally, Argon2(id) is used for key derivation. It won the Password Hashing Competition back in 2015 and is one of the best (if not the best) algorithm for that task out there.

The cryptographic core of Truvark (the combination of both libraries) is open source and available on GitHub.

The database is a Realm database. Realm can feature encrypted databases and of course that is in use. I have seen a lot of vault apps without encrypted database during my analysis.

Furthermore, Truvark supports biometric (e.g. fingerprint) authentication for unlocking a single vault. That feature is backed by the Android Keystore and might not be available on devices even though they offer biometric authentication because a strong authentication is required that not every device supports.

Partly open source, fully in future​

As mentioned above the cryptographic core is already open source and available on GitHub. You can see that this is not my first open source project. Because I'm committed to open source, I plan to publish the full source code sometime in future. The idea is to do that when the app leaves early access but all in all I will do that when I think it's ready.

About development​

On the one hand I want to let you know that I'm a professional software developer and not coding as hobby only, on the other hand I have to put a disclaimer here that I'm not a cryptography expert. However this app was carefully build over time and not in a hastle. Although this app is in early access, it is not a prototype or minimal valuable product. Every release is going trough automated and manual tests. For the manual tests I'm using multiple devices. Nevertheless I'm not afraid to say that bugs can happen. I personally lost data using alternatives in the past, so I am very aware of that issue. Therefor this app stores many information redundant. For example in near future a corrupted or deleted database can be almost fully restored (only some information about the folder structure will be lost but you don't need to organize all files again). The app is already designed to support featues like this in future. Furthermore to backup your encrypted files all you need to do is copy the vault folder.

Upcoming features​

  • Move files and folders to different folders
  • Rename folders
  • Rename vault
  • Material3, followed by many UI and UX improvements
  • Performance improvements

Future plans​

  • Support more file types (like text and PDF)
  • Fully open source
  • Provide desktop clients (cross platform)

Download​

Download from Google Play
 

Attachments

  • Play_Image_1.png
    Play_Image_1.png
    750.1 KB · Views: 56
  • Play_Image_2.png
    Play_Image_2.png
    500.6 KB · Views: 54
  • Play_Image_3.png
    Play_Image_3.png
    1.8 MB · Views: 55
Last edited:

lukaspieper

Senior Member
Nov 26, 2018
127
219
Lenovo Thinkpad Tablet
Google Pixel 3
Changelog:

0.3.2:

  • Replace prebuild Argon2 (used for password derivation) with own build from official source
  • Update various dependencies (including improvements to the in-app file presenter)

0.3.1:
  • Fix a bug during biometric setup
 
Last edited:
  • Like
Reactions: Logan

7h3DuD3

Member
Jun 16, 2013
16
6
Google Pixel 5
Thanks for this, I noticed in recents I did not have to relog in to open, pixel as far as I understand doesn't close recents and clearing them also doesn't actually end the process losing a security risk. Great app though!
 

lukaspieper

Senior Member
Nov 26, 2018
127
219
Lenovo Thinkpad Tablet
Google Pixel 3
Thanks for this, I noticed in recents I did not have to relog in to open, pixel as far as I understand doesn't close recents and clearing them also doesn't actually end the process losing a security risk. Great app though!
Hi,

many thanks for giving Truvark a try and for providing feedback. Indeed there is no mechanism automatically closing a vault or the app itself. Actually I spend a bunch of hours on this feature already and haven't found a solution yet that significantly improves security while keeping encryption/decryption/etc reliable.

You might have noticed that this app makes heavy use of background scheduling. Other apps show a dialog forcing you to wait while they encrypt one file after another, where Truvark runs encryption parallel in background and you still can view your already encrypted files. This is one of the reasons why the feature you mentioned is not available yet, closing a vault would cancel background operations that cannot be automatically started again when the vault is opened next time, because of storage permissions.

Truvark is completely build on Android's "new" storage design (that Google enforced in Android 10/11) by using the storage access framework (SAF).

Therefor I cannot grantee that automatically closing a vault will ever be available, however likely there will be at least a button to close a vault inside the app or maybe a login screen to prevent access to the UI while still having that vault open in background. Actually I’m planning bigger changes on how the vaults are opened with the goal to make it possible having multiple vaults open at the same time. During that process I will reevaluate if it is easier to implement that feature.
 

lukaspieper

Senior Member
Nov 26, 2018
127
219
Lenovo Thinkpad Tablet
Google Pixel 3
@7h3DuD3 did my post answered your questions or are you looking for different information? Happy to answer any question or feedback.

May I ask you in case you regularly use a vault/encryption app what app you're using? What you like about it and what could be improved in your opinion?

Furthermore, I might be able to give insights about the security and privacy of alternative apps if they were part of my analysis. Hoping to analyze more vault apps soon, possibly on request.
 

7h3DuD3

Member
Jun 16, 2013
16
6
Google Pixel 5
Actually don't use one ever for more than a few days, however I've been using this for a bit and find it adequate. Perhaps a triggered deletion of the vault, say recieve an email or text, but I'm fairly certain tasker could do that or multiple other apps not to mention the security risk of having something like that poses a security risk in itself. But overall I'd say it's better then what I've used in the past and files I carry on my personal thumbdrive are vaulted which feels better knowing should I lose it my personal information won't just be in a .hiddenpasswords.txt file lol that's been the main thing is bs where they hide the file like no one's gonna see that or rename the extension with no encryption. I haven't tried a brute force, might be kinda fun to do. Suggestion, Better variety of file types *
 
Last edited:

lukaspieper

Senior Member
Nov 26, 2018
127
219
Lenovo Thinkpad Tablet
Google Pixel 3
I haven't tried a brute force, might be kinda fun to do.
Starting with your last sentence, I wish you good luck with that. Of course it depends on your password. Assuming you picked a good password (Truvark requires 8 character at the moment) brute force is by far the worst attack you could try. For hashing Argon2id is used with a configuration above the minimal recommendations by OWASP and for encryption Google's Tink library is used that "has been deployed in hundreds of products and systems" (quote from their readme file) including Google Pay.

I think you should try attacking the implementation instead of globaly used algorithms.
Actually don't use one ever for more than a few days, however I've been using this for a bit and find it adequate. Perhaps a triggered deletion of the vault, say recieve an email or text, but I'm fairly certain tasker could do that or multiple other apps not to mention the security risk of having something like that poses a security risk in itself. But overall I'd say it's better then what I've used in the past and files I carry on my personal thumbdrive are vaulted which feels better knowing should I lose it my personal information won't just be in a .hiddenpasswords.txt file lol that's been the main thing is bs where they hide the file like no one's gonna see that or rename the extension with no encryption. I haven't tried a brute force, might be kinda fun to do. Suggestion, Better variety of file types *
Thanks that you overall seem to like my app. I don't plan to implement a remote deletion because I believe that strong cryptography does not need that. If you really want to build that yourself in a first step you could just delete the file with the name "vault". It contains a so called salt and the encrypted database key, without the file the attack surface is reduced (and you lose access to your files even with correct password btw).

Because you mentioned a thumb drive, that is one of the benefits of the new storage APIs. Truvark fully supports sdcards and external USB devices without workarounds or the need to move data manually from time to time. I have seen lots of vault apps with bad sdcard support.

What file support are you looking for? I plan GIFs, basic text files and PDFs next.
 

lukaspieper

Senior Member
Nov 26, 2018
127
219
Lenovo Thinkpad Tablet
Google Pixel 3
0.3.2:
  • Replace prebuild Argon2 (used for password derivation) with own build from official source
  • Update various dependencies (including improvements to the in-app file presenter)

Development is currently a little slow or let's say less visible to users because of many under the hood changes. Furthermore, I'm waiting for improvements/new features in some dependencies. Next will be various improvements to the database. After that I plan to work on Material3 design.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 3
    Truvark is a modern file encryption app for Android. You might be wondering why building another vault app as there are already a lot of options. The difference is that Truvark is built around security by design and privacy by default. To proof that I take that serious, this is an offline app, it does not have/requests Android's Internet permission. Features like cloud synchronization are not compatible with the mentioned paradigms. However, that does not mean that you cannot sync or backup your data through a third-party app (on your own risk). Read more about (unique) features below.

    Features​

    Multiple vaults​

    You can create multiple vaults on your device. Any empty folder can become a vault. All your data remains on the shared device storage, means you can access the encrypted files from a file manager e.g. for backups.

    This is a major difference to alternatives. Some apps don't even encrypt your files, they just move them to the app's internal storage. These often speak about "hiding data" instead of encrypting. Others using encryption still prohibit access. You fully rely on their export feature.

    Deep folder structures​

    Truvark is not an encrypted gallery that just lets you group your pictures into albums. It is a file encryption app providing full support for creating folders inside folders. You are not limited in organizing your files.

    View encrypted files​

    The aim is to be able to view common file types in the app. Currently supported are images, videos and audio. The decryption takes place "on the fly" means the required data is decrypted in memory while needed. This is especially important for long videos that would not fit into memory. The image viewer supports high-res pictures and shows more details when zooming in instead of becoming pixelated.

    Here are more differences to alternatives to spot. While I analyzed a wide range of vault apps from multimillion downloads to open source ones I found many flaws. Apps decrypting the full file to disk before showing it, scarify performance and possibly put that file on a risk. Others don't encrypt thumbnails, just the original files.

    Privacy by default​

    To make it short this app has no Internet permission. There are no analytics, ads, telemetry or requirements for an account. However, there is an option for logging that is turned off by default. Logging is required to be able to help any user that has an issue with my app. The user needs to provide these logs, they are not automatically sent (what is technically impossible because of the missing Internet permission).

    Security by design​

    Truvark is using a component (library) for encryption that is built by Google engineers and used in Google Pay. It's called Tink and has the following promise:

    A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
    The last part is important. In cryptography it is enough to get a single parameter wrong to make an encryption insecure. Therefor I decided to rely on a popular open source library.

    Additionally, Argon2(id) is used for key derivation. It won the Password Hashing Competition back in 2015 and is one of the best (if not the best) algorithm for that task out there.

    The cryptographic core of Truvark (the combination of both libraries) is open source and available on GitHub.

    The database is a Realm database. Realm can feature encrypted databases and of course that is in use. I have seen a lot of vault apps without encrypted database during my analysis.

    Furthermore, Truvark supports biometric (e.g. fingerprint) authentication for unlocking a single vault. That feature is backed by the Android Keystore and might not be available on devices even though they offer biometric authentication because a strong authentication is required that not every device supports.

    Partly open source, fully in future​

    As mentioned above the cryptographic core is already open source and available on GitHub. You can see that this is not my first open source project. Because I'm committed to open source, I plan to publish the full source code sometime in future. The idea is to do that when the app leaves early access but all in all I will do that when I think it's ready.

    About development​

    On the one hand I want to let you know that I'm a professional software developer and not coding as hobby only, on the other hand I have to put a disclaimer here that I'm not a cryptography expert. However this app was carefully build over time and not in a hastle. Although this app is in early access, it is not a prototype or minimal valuable product. Every release is going trough automated and manual tests. For the manual tests I'm using multiple devices. Nevertheless I'm not afraid to say that bugs can happen. I personally lost data using alternatives in the past, so I am very aware of that issue. Therefor this app stores many information redundant. For example in near future a corrupted or deleted database can be almost fully restored (only some information about the folder structure will be lost but you don't need to organize all files again). The app is already designed to support featues like this in future. Furthermore to backup your encrypted files all you need to do is copy the vault folder.

    Upcoming features​

    • Move files and folders to different folders
    • Rename folders
    • Rename vault
    • Material3, followed by many UI and UX improvements
    • Performance improvements

    Future plans​

    • Support more file types (like text and PDF)
    • Fully open source
    • Provide desktop clients (cross platform)

    Download​

    Download from Google Play
    1
    Changelog:

    0.3.2:

    • Replace prebuild Argon2 (used for password derivation) with own build from official source
    • Update various dependencies (including improvements to the in-app file presenter)

    0.3.1:
    • Fix a bug during biometric setup