Skip to content

Mobile apps

SyncBins has a native mobile client (iOS and Android), built with .NET MAUI and sharing the same end-to-end crypto as the web app. It pairs as a device, holds the master key in memory (never written to disk), and protects it at rest with a PIN and optional biometrics.

Adding the phone uses the QR pairing flow — no passphrase typing. You need a device that’s already signed in (e.g. the web app) to authorize it.

  1. On the signed-in device: Settings → Devices → Pair a device. A QR code and a 6-word code appear.
  2. In the mobile app, tap Scan QR to pair and point the camera at the code.
  3. Both screens show the same 6-digit verification code. Check they match, then tap Approve & pair on the signed-in device.
  4. Name the phone when prompted. The master key is delivered sealed to the phone’s key; the app unlocks and starts syncing.

If a camera isn’t available, tap use passphrase instead and sign in with your passphrase (you can also type the 6-word code on a device that supports it).

The first time you sign in you set a PIN (6+ digits) and may enable Face ID / Touch ID / fingerprint.

  • The PIN wraps the master key (Argon2id) and is stored in the OS keychain / Keystore — not in plain storage.
  • The app locks when it goes to the background; returning requires the PIN (or a biometric scan).
  • After 5 wrong PINs the device is wiped and must be re-paired.
  • Biometrics are a convenience on top of the PIN, which is always the fallback.

See Quick-unlock PIN for the shared model.

  • New items fan out in real time over WebSocket.
  • History downloads as the sync cursor catches up.
  • Every item is verified on receipt — an item the server forged or relabelled is rejected (see How encryption works).
  • Android: text/link/image share-sheet intents route into your inbox.
  • The master key lives only in memory while unlocked; backgrounding wipes it.
  • At rest it exists only as the PIN-wrapped blob and (if enabled) a biometric-gated copy.
  • Transport is HTTPS-only (cleartext is blocked except localhost for development).

Full detail: Mobile/SECURITY.md in the Mobile repository.