Onions

Secure Text Storage in the Cloud

Keep your text-based information cryptographically secure. Then read the code to make sure that's true.

Security begins before you ever Sign In.

When you sign up or login, your credentials are never sent directly to the server in plaintext. That would be too easy. We're actually running a recursive SHA-256 hash on your username for 15,000 rounds and the same algorithm on your password that's been salted with your username for extra bits of entropy.



username: "Hello"
password: "World"

becomes this

username: "Hello"
password: "WorldHello"

which becomes this

username:
"VyijIO3XTijhwjrpuyDNpH
JNpBOBKxwb180lYWbo2YY=w"

password:
"K/SWeWOeER/zGgOYH8RXv
BuVBzRo+0S3vK6veR/L4ko="

before the server ever gets a chance to see it.

Let's talk about the Server.

There is nothing special about the Server! Onions uses the Parse SDK as the backend manager of data, removing many moving parts from the equation. Parse has great uptime, an SSL connection, and a dedicated team to keeping the data managed safely and securely. Parse also has excellent user and authentication management baked in already. So whenever you send the already obfuscated username and password to the server, Parse uses the standard bcrypt cryptographic protocol to obfuscate the password and provide authentication against it.

Beyond that, the server is just a receiver and a sender. It never manipulates the data.

That's great. But what about my data?

This is really the most important part, right? Onions uses the best cryptographic encryption scheme available on the iOS platform to ensure data sanctity before being sent across the wire to the server. Onions uses AES-CBC-256 encrytpion with an Encrypt-then-HMAC authentication scheme to protect your data. Both of these are done and managed by the open source RNCryptor library freely available and peer-reviewed on Github. RNCryptor uses industry standard encryption functions like PBKDF2 for key stretching.



Title: "Test Title"
Info: "Test Info"

becomes this

Title:
"AgFN8fBcFW4GucQ/GcTBMAAnawau9mYoC+
NIqI4NlpJ3jMCsXxH59hKP5/eidXI/
9EvuEaGYKXfEZDf1TWdX8L8ETU0
Jh55BWGU556vSQgM3AA=="

Info:
"AgF7V0dyTYPO647HhhrW83OdmfwN71Gku
Hgb+sf/yb1vyDVSIAU1bmWTJpgb8Oh
b0HvEysqgopLqVzqxOGbiM2areY
xVW9SuLpEoUqF5498c0Q=="

before the server ever gets a chance to see it.

Read the code, and contribute.

The entire iOS project is open-sourced on Github for you to read and contribute to its success. Don't be afraid to open a pull-request if you see things that should change or might be better a different way.

Don't take my word on the security. Read the code; believe with your eyes.