Loginbox, a new solution aiming to save you from typing in your username and password for various websites when accessed from your smartphone’s small screen, is taking a different approach than most. Though competing with other form fillers and password managers like LastPass or Dashlane, the new mobile app instead has you record your actions, including entering in your information, tapping buttons, checking boxes, or answering security questions. This allows LoginBox to work on larger number of websites than most password managers today.
Sounds handy, right?…But wait, is it safe? Well, we’ll get to that in a minute. First, a bit about the company and product.
LoginBox is a startup founded by two indie developers, Gil Meroz, based in Israel, and Ruby Boyarski, who works in Sydney, Australia. The two have spent nearly 20 years building enterprise and mobile applications, including over 10 years on enterprise platforms and banking software. Over the past few years, they decided to switch to working on consumer products instead, and founded Mygo Software to do so.
The company has released a couple of other applications to date, like mobile usage tracker MyPhoneUsage, whose U.K. version was recently acquired by BetterBill LTD. Another app focuses on helping users save money by offering info about your credit cards.
Explains Meroz, the idea for LoginBox came about because of a real need the co-founders both saw. “We, and other people we know, constantly check protected websites for all sorts of information – getting the latest stats on application sales, checking Google Analytics for website usage, checking if my paycheck has landed, creating a lunch order for our children at school, etc.,” he says. But they didn’t think there was an easy solution for mobile devices.
The concept for LoginBox began almost two years ago, with an idea to make an app that was so simple, it was as close as possible to actually logging into the website yourself. The two wanted something that would be a step up from a form filler, and would support more complex workflows, too, so it could manage older websites, those that have unique login flows, or ones that even present random security questions. Competitors, like 1Password, Dashlane, and Lastpass, says Meroz, don’t really work for sites that deviate from the standard login process. (Earlier testing for LoginBox was done under the brand “TapIN.”)
LoginBox is quite different, and as easy to use as advertised. When you launch the app and enter in the URL in the provided mini-browser, you’ll notice a red “record” button at the top right. After the website appears, you just hit “record” to have the app document your keystrokes and save your current login workflow. You then tap the button again stop recording when you’re done.
The password data is saved on your device itself, using hardware-accelerated AES encryption. There’s also a PIN-protected auto-lock to keep others from being able to launch the app if they gain physical access to your device. And, adds Meroz, the data is not sent to the company’s servers, so hackers can’t access it.
How Safe Is It?
Of course, in a world where 70 million people can have their most personal data compromised just by doing a little shopping at Target, it’s worth getting a second opinion on an app that’s recording highly secure data like this.
According to Alex Watson, director of security research at Websense, LoginBox is fundamentally not that different from others that store passwords, credit cards, and address info in the browser for auto-complete. However, he points to the built-in iCloud sync as a potential risk factor.
Another security researcher, Per Thorsheim, who runs the regular PasswordsCon events, thought it was suspect that startup’s website offered no privacy or cookie policy on its homepage, nor explanations of how the data is secured. He also pointed out that earlier security research has shown that many different password managers built for iOS devices don’t offer “reasonable” security or encryption, which makes him suspect of the whole genre of utilities like this, it seems.
From a real-world perspective, it’s true that something like LoginBox is less secure than just remembering your password and typing it in when asked, but it’s still more secure than methods a bunch of normal people use. You know, like writing them down in insecure apps, like Apple’s Notes app, for instance. Depending on your own comfort level with security risks like this, deciding to use a password manager – and a new one, at that – is really something you’ll have to come to terms with for yourself.
LoginBox offers paid tiers to its service if you want more than the three free websites provided. A pro app for $6.99 is also available for unlimited logins and sync.