MyGlimpse Source

[ under the hood ] technical stuff

Don't take our word for anything on the other pages.

This page is for people who scroll past the marketing and open the repo. Below is every load-bearing detail: what encrypts what, where the keys live, how sharing stays unreadable to us, and the source to verify it all. If you find a hole, open an issue. I'd rather hear it from you than from someone quieter.

a padlock icon is not a security model.

[ 01 ] cryptography

Nothing to hide, so nothing is hidden.

Cryptography is half of the job; the reveal gesture on the home page is the other half. Most people will never read a line of this, and that is fine. What matters is that you can, or that someone you trust can, because all of it is out in the open. Here it is, in plain terms.

MyGlimpse · encryption at rest and in transit

Secret values
XChaCha20-Poly1305, applied per field, with the record id bound in as associated data.
Database file
SQLCipher (AES-256). Titles and categories are encrypted too, not only the values.
Backup files
Key derived from your passphrase with Argon2id (64 MiB, t=3). The whole payload is authenticated.
Key storage
Android Keystore / StrongBox, iOS Keychain / Secure Enclave. Never written to disk in the clear.
Key release
Your fingerprint, face, or device passcode. The same lock as your phone.
Sync
None. There is no server holding a copy of your vault.
Telemetry
None. No analytics SDK is linked into the build.

Verify it: crypto_service.dart

[ 02 ] the relay

Sharing goes through a server that cannot read it.

A shared glimpse is encrypted on the phone; only ciphertext reaches the relay, and the key travels in the link's #fragment, which browsers never send to any server. One view burns it, 24 hours expires it. The relay is a small Go server under MIT: run your own with docker compose up and point the app at it in Settings, where it is adopted only after an ack handshake proves it speaks the protocol.

[ 03 ] the source

Read it, or build it yourself.

A closed-source security app asks you to trust a screenshot of a padlock. This one ships its sources under MIT. Clone the repo, read the files that matter, and produce your own signed APK with flutter build apk. The relay is public too, client and server both.