Security
The App Lockr is built on one idea: your passwords should never leave your device, and you shouldn't have to take our word for it. Here's exactly how that works.
1. No network permission — the claim you can verify
Android apps must declare the permissions they use. The App Lockr does not declare the INTERNET permission at all. That's not a promise in a policy document — it's a fact anyone can check, and it means the app is technically incapable of sending your passwords anywhere. Our build even fails automatically if that permission ever slips back in through a dependency.
2. Your master password
When you unlock the vault, your master password is run through Argon2id — a deliberately slow, memory-hard function designed to resist brute-force guessing. The result is a key that unwraps your vault. Your master password itself is used briefly in the device's native memory and then wiped. It is never written to disk and never transmitted.
3. The vault
Your entries live in a single file encrypted with AES-256-GCM, the same authenticated encryption standard used across the industry. Each entry's secret is sealed on its own and decrypted only at the moment you view or fill it — the list of site names you see is kept separate from the passwords themselves.
4. Fingerprint unlock, bound to your hardware
Unlocking with your fingerprint isn't a shortcut around the encryption — it's tied to it. The key that makes biometric unlock possible is stored in the Android Keystore, and the operating system refuses to release it without a fresh biometric or device-credential check. On phones with a secure element, it's held there.
5. On-screen protection
Vault screens are marked secure, so they don't show up in screenshots or the app-switcher thumbnail. The app locks itself the instant it leaves the foreground, and after a timeout you set. Passwords copied to the clipboard are cleared automatically.
6. Phishing-resistant autofill
When The App Lockr offers to fill a login, it matches on the real website domain — exactly, never loosely. A look-alike address such as paypal.com.evil.io will never surface your PayPal entry. This is a deliberate safety feature, not a convenience trade-off.
7. Backups, without a cloud
You can export your entire vault as a single file. That file is already encrypted — unreadable without your master password — so it's safe to keep on your own storage or move to a new phone. There is no cloud service in the middle, because there is no cloud service at all.
The honest trade-off
Because nothing leaves your device and there is no account, no one can recover your vault if you lose both your master password and your device — not even us. That is the direct consequence of real privacy, and we'd rather say it plainly than pretend otherwise. Keep your master password safe, and keep a backup.