Third party software libraries used in STRIP


#1

I just saw in the Strip Win 2.5.2 thread an error that would suggest that STRIP might be using Adobe Flash.
Earlier, I got installation error which suggested that STRIP requires .NET 4.

Looked at “Credit and Copyrights for Third Party Software in STRIP” FAQ but did not find those in the list.

Could we users get a list of all 3rd party software/tools that are being used in STRIP?
Similarly to reading ingredients label on food, I find critical to know what’s being used in my password manager.


#2

Hi @nick, STRIP doesn’t use Flash! Definitely not! But web content from Dropbox certainly could.

The FAQ item you mentioned could probably use some updates, but it’s purpose is just to satisfy any copyright statement requirements, which we don’t have to do when using Dropbox and Google Drive code. Off the top of my head I can’t think of anything else pertinent to mention. Sparkle is used on the direct build of STRIP for OS X to bring security updates. Advanced Installer is used on Windows. STRIP for Windows and STRIP for Android make use of OpenSSL (STRIP for iOS and OS X use CommonCrypto instead.) Oh, and the Windows version of STRIP requires that you have Bonjour installed for sync over WiFi to work correctly (this is made clear during the installation process.)

If I think of anything else I’ll make a note of it here!


#3

I hope you understand the reason this question is being asked.

STRIP is used to handle some extremely sensitive and private data. Data that others would genuinely want to get a hold of.

We, your users, are trusting that your programmers are not wanting to steal our passwords and identity data. However, we don’t know for certain that the programmers behind your third-party components and libraries are following the same ethical standards.

It is actually possible that a third party, knowing that you use their code, may concoct an elaborate scheme to use their code to somehow exfiltrate our data into their clutches. You would do well to give some serious thought to this problem. It might even give you some good press if you were to post a statement about how you have considered and perhaps installed countermeasures for this type of problem.

I hope that you see how important this issue can be.


#4

@ZipFoxtaur Definitely, I hope I don’t sound flippant about the matter. I think we’ve got a complete enumeration of third-party software used in STRIP here. SQLCipher is developed by us (and it uses CommonCrypto and OpenSSL, which we stay on top of in terms of updates and vulnerabilities), the Dropbox and Google Drive frameworks that we use are well-vetted and maintained, same for Sparkle, Advanced Updater, and Bonjour. We pay close attention to the maintenance and stability of these libraries.

The technological capabilities provided by these software libraries are significant and allow us to spend time making sure our own code is stable and secure. There’s no need for us to make our own Google Drive frameworks for four native platforms, for example, when the people who know the service best would prefer we use what they provide.

Another I forgot to mention: InAppSettingsKit. We’ll take a look at all four of the STRIP native apps and post about any others in use (outside of core system libraries we link against like .NET’s Entity Framework or Cocoa’s Security framework.)


#5

I like STRIP because it does nothing more and nothing less than what is a core functionality for a password manager. That being said, I like that you didn’t build your own cloud for syncing the passwords and give us the control to do it using what we trust. Some may find Dropbox good enough, others may not even consider Google Drive. These are good dependencies since we users can make the choice.

Now, going back to the original topic:

  • Seems like IE control is being used to display Release notes on Windows? May I suggest opening the URL in OS’s default browser.
  • Additionally, there are some mentions of CsvReader and System.Data.SQLite in the About box.
    … anything else?

#6

Hi all, checked with @developernotes, we’ve got a few more to list: