Part of BackPack
- About this project
- Feature Overview
- Legal Liability
- Download
- Screenshots
- Supported devices
- Security Aspects
- Contribute
- Donate
- Used Icons
- License
Over time I've used several apps to store my PINs, unfortunately none of them really convinced me.
So here we are now, this is my own implementation of a secure PIN manager.
If you think it's worth to support this project, feel free to give a small donation β€οΈ (Donate).
Join the Community Matrix room to talk with the community about the app or to ask me (the dev) anything:
https://matrix.to/#/#cyb3rko-community:matrix.org
| PINcredible | Others | |
|---|---|---|
| π’ PIN obfuscation | β | β |
| π Open Source | β | β |
| π Local Encryption | β | β |
| π¨ Modern Design | β | β |
| π Internet Connection | β | β |
| ποΈ Ads | β | β |
| πΏ Suspicious Permissions | β | β |
The app obfuscates the PIN in a table layout surrounded by secure random numbers.
This brings two security benefits:
- β The app can not know where in the pattern the user given PIN is located at. Attackers can not extract the plaintext PIN.
- π΅οΈ This offers protection against Shoulder Surfing, for example while accessing your PIN in a super market or a bank.
For the input of PIN digits the app uses an in-app keyboard.
This brings the following two security benefits:
- β¨οΈ (At least some) protection against keylogging
- π± (Optional) protection against touch location logging (by shuffling digit keyboard buttons)
In addition to the default color palette PINcredible offers an accessible color palette (following the IBM Color Blindness Palette).
In no way do I accept liability for lost PINs and the resulting consequences or other consequences of using the app.
I do not guarantee that the app will always work properly and PINs will never be lost.
If you don't agree please don't use this app.
Google Play release planned
APK releases on F-Droid and GitHub are signed using the same key. They can be verified using apksigner:
apksigner verify --print-certs -v example.apk
The output should look like:
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
The certificate content and digests should look like this:
DN: OU=PINcredible, O=Cyb3rKo OpenSource, L=GitHub / F-Droid, C=DE
Certificate Digests:
SHA-256: 77:15:66:40:38:23:38:2c:74:27:4e:fb:33:d1:f2:72:5b:9e:4e:67:8b:6b:2f:af:3b:ce:a9:fe:e8:f2:a9:5e
SHA-1: 30:12:e7:60:37:27:fa:83:c5:db:b4:6b:7d:22:d8:79:0b:4d:a7:d1
MD5: 67:bb:02:ca:3c:ba:20:63:f7:a8:1c:0f:88:dd:59:38
 |
 |
 |
|---|
The minimum supported Android version is API level 26, Android 8.0 (Oreo "O").
Additionally this app takes advantage of the Android KeyStore system. At the moment I'm assuming every Android device with Android 8.0 upwards has this built-in.
If you have any problems, maybe even because your device seems to be incompatible, please leave a message here.
Let's take a look at the technical details.
At first here are the algorithms used:
- AES/GCM/NoPadding (Advanced Encryption Standard in Galois/Counter Mode)
- XXH128 (XXHash3-128) [xxHash Repo, thanks to Matthew Dolan for the Kotlin implementation]
- Argon2id (used for backup password inputs)
For easier understanding how the app works internally I've created the following diagram.
Find the detailed explanation below.
So what's happening here?
- retrieval of symmetric AES key and encrypted file containing available PIN names
- decryption of the file contents
- presenting available PIN names on screen
- handing over PIN name to next screen and hashing it (XXHash)
- find corresponding file containing encrypted PIN pattern (including colors)
- retrieval of symmetric AES key and encrypted file containing PIN pattern
- presenting decrypted PIN pattern in table view
- decide rather you want to use the initial color pattern or generate a new one (using standard random numbers, no SecureRandom here as it's not cryptographically relevant)
- fill in your PIN somewhere and fill the remaining empty cells (using SecureRandom provided by your device)
- type in a custom name, it will be hashed and used as the file name
- retrieval of symmetric AES key
- encrypt and save PIN pattern to file, append chosen PIN name to PIN name file (for the home screen)
That's the whole magic behind PINcredible, if you have questions or if you are a Security Expert and you have recommendations for improving the overall security, please tell me via the issues or via e-mail: cyb3rko @ pm.me
Of course I'm happy about any kind of contribution.
For creating issues there's no real guideline you should follow. If you create pull requests please try to use the syntax I use. Using a unified code format makes it much easier for me and for everyone else.
If you think it's worth to support this project, feel free to give a small donation β€οΈ.
Find the links here or in the section 'Sponsor this project' of this repo:
- ko-fi.com/cyb3rko π«Ά
- buymeacoffee.com/cyb3rko β
- paypal.me/cyb3rko π³
- Color-blindness-test icons created by Freepik - Flaticon
- Grid icons created by prettycons - Flaticon
- Random icons created by Uniconlabs - Flaticon
Copyright 2023-2025, Cyb3rKo
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
