One of our goals (and we hope an expectation our customers have) is to be secure by design. One of the hardest things in security is to expose just the right amount of information by default to be able to do what a product says on the tin. Let's unpack what we mean by that in a specific context.
Secret Chest makes use of what are known as extensions. The way. we automatically fill usernames and passwords and passkeys use Apple's Credential Provider extension. That's core to the product, users have to enable it upon installation, and we always load it. However, we also use other extensions in specific contexts. Users with an Apple watch will notice that we load an Apple Watch extension via what Apple calls WatchKit. Chrome users who use our upcoming Chrome extension will notice that we're doing other operations using a WebKit extension (to be technical about it - that makes the app data available to Chrome since it's not an Apple tool, and we didn't want to expose shard data through a defaults object).
Here's the thing about extensions: we don't want them running unless a user explicitly wants them running. This is similar to how users have to grant access to specific features of Apple devices (known as entitlements). Therefore, we don't load a watch extension or the web server unless a user specifically opens the settings and clicks the button to do so. This means a little extra friction for people who use those features, but in our minds - a more secure user experience for everyone, and so worth it.
We actually had a whole meeting with our developers that was consumed with this simple question. It is only a few lines of code, would only be a few to remove if we ever changed our minds, and if people ask, is something we can add a defaults key to manage. That word friction is interesting, though. In the SaaS world it usually comes with a negative context. However, in this case we hope you agree that it's an intentional point of action that we decided would improve the security of our tool.
Disagree? Let us know! We would love to hear all the opinions!!!
Comments