Privacy Policy
Last updated: May 2026
The short version: MSafe does not declare the android.permission.INTERNET permission, which means the app physically cannot make a network connection. There are no servers to breach, no accounts, no analytics, and no tracking SDKs. Your vault never leaves your phone unless you explicitly export it.
Data Collection
MSafe collects no data. Specifically, there is:
- No personal information collection
- No analytics, telemetry, or usage tracking
- No crash reports or diagnostics sent to the developer
- No advertising identifiers or ad SDKs
- No cookies, fingerprinting, or any other tracking mechanism
- No account creation, email collection, or phone verification
Network Access
MSafe does not declare the android.permission.INTERNET permission in its manifest. As a result, the operating system will refuse to let the app make any network connection - the app is not able to phone home, sync to a cloud, fetch updates, or contact any server. There are no codfishworks servers because there is nothing to connect to.
How Your Vault Is Stored
Your credentials are stored on your device in a Room (SQLite) database. Every credential is encrypted before it is written to disk:
- AES-256-GCM for authenticated encryption of every credential
- PBKDF2-SHA256 with 600,000 iterations derives the encryption key from your master password
- 16-byte random salt generated on first launch and stored in the database
- Fresh random 12-byte IV per credential, so identical passwords encrypt to different blobs
- The plaintext master password is not stored on disk - only its PBKDF2 hash, used to verify your unlock attempt
If anyone gets a copy of your phone's storage without your master password, the vault contents are unreadable.
Authentication and Wipe
MSafe authenticates you with your master password. After ten consecutive incorrect attempts, the entire vault is wiped from the device. There is no recovery email, no "forgot password" link, no back door. This is a deliberate trade-off: the strongest guarantee that nobody else gets in is the same guarantee that you are responsible for remembering your master password.
Optional biometric (fingerprint) unlock is backed by an RSA-2048 key pair in the Android Keystore that requires user authentication on every use. Your master password is never written to disk by the biometric path - it is held in memory only while the app is unlocked.
Backups and Exports
MSafe never backs up your vault automatically. You decide when and where a backup lives. The app supports three explicit, user-initiated export formats:
- QR-code PDF - a single credential or your full vault as scannable encrypted QR codes you can print
- NFC tag - write a credential to an NFC tag and tap your phone against it later to import
- Encrypted
.msafefile - the vault as an encrypted file you can move between devices
All export formats are encrypted with the same scheme as the on-disk vault. Anyone who picks up an exported QR or file still needs your master password to decrypt it. Android's standard auto-backup (android:allowBackup) is disabled, so MSafe is excluded from Google's cloud backup.
Permissions
MSafe declares only the permissions it needs to do its job, and each one is scoped to an explicit user action:
- Camera - only when you scan a QR code to import a credential
- NFC - only when you read or write an NFC tag
- Biometric (fingerprint) - only if you turn on biometric unlock; managed entirely by Android
- Autofill service - only if you enable MSafe as your autofill provider in Android system settings
These permissions are managed by Android. You can revoke them at any time in System Settings > Apps > MSafe > Permissions.
Third-Party Services
MSafe does not connect to any third-party services. There are no analytics SDKs, no crash reporters, no advertising libraries, and no tracking libraries embedded in the app. The barcode scanning library used for QR codes runs entirely on-device.
Free vs Pro
The free version (com.codfishworks.msafe) and the pro version (com.codfishworks.msafe.pro) are subject to identical privacy guarantees. The only difference between them is the credential cap. Pro is a one-time Google Play purchase processed by Google; codfishworks does not see your payment information.
Children's Privacy
MSafe does not knowingly collect any data from anyone, including children under 13. Since no data is collected or transmitted, there are no COPPA concerns.
Changes to This Policy
If this privacy policy changes, the updated version will be published on this page with a new "Last updated" date. Since MSafe collects no data and cannot connect to the internet, significant policy changes are unlikely.
Contact
If you have questions about this privacy policy, reach out via email at msafeworks@gmail.com.