Mobile apps
SyncBins has a native mobile client (iOS and Android), built with .NET MAUI and sharing the same end-to-end crypto as the web app. It pairs as a device, holds the master key in memory (never written to disk), and protects it at rest with a PIN and optional biometrics.
Pairing the phone
Section titled “Pairing the phone”Adding the phone uses the QR pairing flow — no passphrase typing. You need a device that’s already signed in (e.g. the web app) to authorize it.
- On the signed-in device: Settings → Devices → Pair a device. A QR code and a 6-word code appear.
- In the mobile app, tap Scan QR to pair and point the camera at the code.
- Both screens show the same 6-digit verification code. Check they match, then tap Approve & pair on the signed-in device.
- Name the phone when prompted. The master key is delivered sealed to the phone’s key; the app unlocks and starts syncing.
If a camera isn’t available, tap use passphrase instead and sign in with your passphrase (you can also type the 6-word code on a device that supports it).
Unlocking the app
Section titled “Unlocking the app”The first time you sign in you set a PIN (6+ digits) and may enable Face ID / Touch ID / fingerprint.
- The PIN wraps the master key (Argon2id) and is stored in the OS keychain / Keystore — not in plain storage.
- The app locks when it goes to the background; returning requires the PIN (or a biometric scan).
- After 5 wrong PINs the device is wiped and must be re-paired.
- Biometrics are a convenience on top of the PIN, which is always the fallback.
See Quick-unlock PIN for the shared model.
What syncs
Section titled “What syncs”- New items fan out in real time over WebSocket.
- History downloads as the sync cursor catches up.
- Every item is verified on receipt — an item the server forged or relabelled is rejected (see How encryption works).
- Android: text/link/image share-sheet intents route into your inbox.
Security at rest
Section titled “Security at rest”- The master key lives only in memory while unlocked; backgrounding wipes it.
- At rest it exists only as the PIN-wrapped blob and (if enabled) a biometric-gated copy.
- Transport is HTTPS-only (cleartext is blocked except localhost for development).
Full detail: Mobile/SECURITY.md in the Mobile repository.