[Cynddl]

Thanks for the detailed post! I'm usually wary of using close-source programs for sensitive tasks such as connecting to all my remote servers with SSH.

I haven't found any details on the libraries you use, especially for cryptography, nor the steps you have taken to secure your software. Where can we find more info?

[dmitry_lyfar]

Totally understand. As Termius turned from a pet project to our main focus we made security transparency our immediate objective. We are working on the detailed documentation on cryptography, SOC2, and periodic security tests done by 3rd party security professionals.

However, we have addressed the most sensitive part of the product -- the approach we use to store and sync hosts, passwords and keys: https://docs.termius.com/termius-handbook/synchronization#ho.... Syncing of keys/passwords can be turned off when your policy does not allow it to be stored elsewhere. We also support 2FA and Yubikey for authentification.

[ndiscussion]

Thanks for this, not the OP but security is also my #1 concern with this type of product. I'm probably not in the target market anyways so maybe you don't need to listen to me but I love it when companies release info on the way they keep my data safe.

One example, before I sign up for a critical vendor, I like to ensure I can set up secure 2fa with no sms recovery (because sms recovery is broken by design)

A security whitepaper of sorts will probably go a long way on this type of product